Tuesday, December 14, 2010

Group policy for password changing

Here some nasty info, when adding a password policy to a ADS:

  • Password policy can only be set at the domain level.
If you like to have different password policies, you have to
  • create a subdomain
  • change to server 2008, where you can use Fin grained password poliy, that gives you the option for using different password policies.
  • You look out for a a 3rd party tool

What might be the technical reason for this ?

The whole login/authorization of windows (before windows 2008/Vista) is based on NTLM, which basically means you are logging on into a NT style domain.
So all users in that domain have the same (NT style) password restriction.

If all your systems are Windows 2008 or newer, then kerberos is used for authentication/logon, and here apparently password policies are applied as normal users would think.