For example, if the domain policy sets passwords to expire in 90 days, it's still possible to set user passwords to not expire. Is there a way to enforce the domain policy and not allow individual user settings?
If you're the domain administrator, yes, both of these are very possible to do. I don't feel this is the case, but here's how one would do it:
Open Active Directory Users and Computers and locate the user you want to set to not expire their password. Double-click their account name, select the account tab and set "Password never expires" or something similar to that. (I don't have it opened here).
If you want a user to not receive GPO's, you can set a different Organizational Unit (OU) to hold those users with different policies. You cannot set different password policies such as length, password aging, and reversible encryption, etc to these GPO's, as those are domain wide. However, you can also set a specific GPO to apply computer only settings and/or user only settings. AD doesn't allow you to add GPO's to the default containers of Users and Computers, so if you want the domain policy itself to apply to the users/computers and nothing else, leave those accounts there and create another OU/GPO for others.
Finally, from Microsoft: "If you run any version of Windows® domain today (Windows NT®, Windows 2000 Active Directory®, or Windows Server® 2003 Active Directory), you are limited to a single password policy per domain." See link, which has much more information about this and how to effectively use password policies.
WG
I am prety sure there is a GPO for this as well, but not sure which one...
yes you can apply the GPO on the entire domain, site or OU that you want the password not to expire.
well I am not sure if you have such an option in GPO.. but Its worth a try under Securtiy settings>> account settings.
best of luck with that.. if not able to find.. i m sure you know the manual way to change it for the all user a/c
No comments:
Post a Comment