Emerson Exchange 365

• Not Answered

Service Accounts

Hello!

Currently looking to apply a password policy in a domain environment (password history, minimum characters etc......) (Server 2003)

I'd like to apply password security to all DeltaV users but have the service accounts set to never expire

I noticed in the AD there is separate OU's for DeltaV users, DeltaVWorkstations,DeltaV Locked down Workstations,Domain Controllers.  Would setting the default domain policy from the root be sufficient enough to apply password security to DeltaV user accounts or would it also need to be done from an OU Level?

Any advice greatly appreciated.

Mambo

• 1 May 2015 1:29 PM
• Cancel

3 Replies

• Youssef.El-Bahtimy

  

  • 1 May 2015 2:08 PM

  I would recommend adding you own site-specific policy then applying it with the correct security/WMI filtering and order to get exactly what you need. I would not alter the default domain policy (though I have in the past...) or the Emerson Out-of-the-box policies.

  The reason is that upgrades potentially alter both the default and Emerson policies.  If you have your own policy created, the upgrade procedure should not affect it, and you can easily export and differentiate the scope of the policy. 

  I believe that configuration of a user's 'never expire' setting overrides the expiration of password policy, (that is unless you are enforcing a policy to prevent administrators from being able to check that box for users).   

  • Cancel
• Mambo

  

  • 6 May 2015 11:50 AM

  In reply to Youssef.El-Bahtimy:

  Thanks for the info Youssef. I've implemented a site specific policy which is working well.

  • Cancel
• RFairchild

  

  • 15 Aug 2017 5:01 PM

  In reply to Mambo:

  I was wondering how policy is going? We are planning on doing the same thing at the site.
  
  Currently we have four sites with four domains set up different and one of the default domain policy someone set up the following?
  
  Policy Description Default Policy Parameter
  Enforce Password history 0
  Maximum password age 0
  Minimum password age 0
  Minimum password length 6
  Password must meet complexity requirement Disable
  Store passwords using reversible encryptions Disable
  
  I would like to change them to the following:
  
  Policy Description New Domain
  Enforce Password history 10
  Maximum password age 365
  Minimum password age 1
  Minimum password length 8
  Password must meet complexity requirement Enable
  Store passwords using reversible encryptions Disable
  
  From my understanding it’s not recommended to modify the Default Domain policy and from my understanding the last policy wins (which means not a Zero) which I found out on a different website which is listed below:
  
  First Local policy
  Second Site Based Policy and will overwrite local if any settings conflict
  Third Domain Policy and will overwrite both the above policies if conflict is there
  Last OU Policy and will overwrite all above if any conflict is there.
  
  So my question can you remove that section of the Default domain policy and then modify it down to a site?
  Or modify the default domain and fix it on the next upgrade?
  Create an OU and assign users groups to a new policy which would affect certain users?
  
  We already figure that some sites will need the user password changed before the activation of Maximum Password Age policy because most of the passwords are already older then the policy because window use the last time it was modification.
  
  If you have any ideas all ideas are welcome.

  • Cancel