Home page logo

basics logo Security Basics mailing list archives

Re: Changing the domain password policy
From: Raoul Armfield <armfield () amnh org>
Date: Tue, 06 Feb 2007 09:47:19 -0500

Mike Devlin wrote:
yes, you are right that if you change the password complexity requirements/minimum length, all the accounts that don't meet the new requirements are fine until their password expires or is forced to rotate. I suppose that if you wanted to be extra safe, you could make a policy just for the service accounts, and have a different set of password requirements for these accounts, and have the default domain policy have the stronger password complexity settings.

The thing is though that you can only have one password policy in a given domain. So any thing that deviates form the norm needs to be done as an administrative policy but can not be enforced by the DCs unless you create a child domain specifically for the accounts that need the higher complexity.


Raoul Armfield
rarmfield at amnh dot org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]