Results 1 to 2 of 2

Thread: Creating Password Policy

  1. 06-21-2007, 12:35 PM #1
    PreviousPoster
    PreviousPoster is offline 100+ Helpful Posts! 50+ Helpful Posts
    Join Date
    Dec 1969
    Posts
    1,254

    Default

    I'm new to GPMC and any sort of computer management. Our AD is set up such that the "Users" contains just groups. The actual users are set up as an OU with the name "UsersP." In setting up a password policy, do I set it up under UserP in GPMC since it's an OU? I would like to set up OUs that reflect the different departments within our organization. Any insight will be appreciated.

    Gogo
    Reply With Quote Reply With Quote
  2. 06-21-2007, 02:24 PM #2
    JerryC
    JerryC is offline 100+ Helpful Posts! 50+ Helpful Posts
    Join Date
    Dec 1969
    Posts
    231

    Default

    For Windows 2003 and lower, you are allowed only one set of "domain user account" password policies. These must be configured in a GPO at the root of your domain...and typically in the Default Domain Policy itself.

    Notes:

    (1) The more recent versions of Windows AD (Windows Server 2003) allow account policy settings to be set in the highest priority GPO at the root of the domain, not just the DDP policy.

    (2) The visibility in the GPO Editor of the Account policies is there for a reason. If you choose to create different policies for your "Local User Accounts" on your "Local Devices", then a GPO with configured Account Policy settings can be linked at lower OU levels and will apply those different settings (again...only for local device user accounts).

    =============================

    Setting Up AD

    There is no one best way to architect your AD, but here are some handy tips.

    (1) You cannot link GPOs to 'containers' like the 'Users' container or the 'Computers' container a both off the root of the domain. So do not place them there or even allow them to be placed there. Plan on creating the accounts in other locations from the get-go and you'll save yourself a lot of admin re-work trying to figure out where a certain PC or User account belongs. Better yet, build processes that tie your final user account structure to your HR department databases and automate when/where accounts move.

    (2) Put all your DCs in the Domain Controllers OU and leave them there.

    (3) Design your AD structure based upon how you expect to 'support' your Customers accounts, Customer devices, and Server roles. User's do not care "where" their account is, the people who support them do. Whay? Because you grant or limit the support folks authority to manage accounts or devices using the AD structure.

    (4) Don't just create a customer OU and place all their resources in that OU (or sub-OUs), when it comes time to apply some GPO setting to just servers, having the servers all isolated from customer client devices can be a huge timesaver.

    (5) Consider keeping all the user accounts in a separate AD structure. That allows for more security isolation and control of user accounts (and make sure to place all Service Accounts within that structure as well--though isolated from normal user accounts).

    (6) Consider placing all security group within the noted Accounts OU structure as well. Managing the assignment of rights to manage security groups is as important as isolating the user accounts themselves.

    (7) Once you decide on your final design, then set up processes to support that design. Example: Let's say the customer is setting up a new organization. You create the new User, Server,and Workstation OUs to match. You pre-link in all appropriate GPOs to the appropriate OUs. Then you start moving accounts into the structure. Done!

    Example AD design for multiple supported customers that allows for easy deployment of global or specific GPO settings (this is a starting point only):
    [code:1]Domain root
    Accounts OU
    Customer1/Dept 1 OU
    User accounts OU
    Security Groups OU
    Service Accounts OU
    Customer2/Dept 2 OU
    User accounts OU
    Security Groups OU
    Service Accounts OU
    Executive Mgmt Accounts (the bosses)
    Secondary Priv User Accounts
    Secondary Priv Service Accounts
    Security Groups to Manage the Accounts OU
    Builtin (just leave defaults here...don't add any yourself)
    Computers (empty)
    Domain Controllers
    Servers
    Customer1/Dept 1 OU
    App Servers
    File Servers
    Server Mgmt Security Groups OU (for Customer1/Dept 1 OU only)
    Print Servers OU
    WTS Servers OU
    . . . (other server types as well)
    Customer2/Dept 2 OU
    App Servers
    File Servers
    Server Mgmt Security Groups OU (for Customer2/Dept 2 OU only)
    Print Servers OU
    WTS Servers OU
    . . . (other server types as well)
    Users (just leave defaults here...don't add any yourself)
    Workstations
    Customer1/Dept 1 OU
    Generic workstations OU
    Development/Test Wrkstns OU
    Special Wrkstns OU (maybe just laptops or early deployment OS like Vista)
    Wrkstn Mgmt Security Groups OU (for Customer1/Dept 1 OU only)
    Customer2/Dept 2 OU
    Generic workstations OU
    Development/Test Wrkstns OU
    Special Wrkstns OU (maybe just laptops or early deployment OS like Vista)
    Wrkstn Mgmt Security Groups OU (for Customer2/Dept 2 OU only)
    Executive Mgmt Devices OU (the bosses)
    Generic workstations OU
    Development/Test Wrkstns OU
    Special Wrkstns OU (maybe just laptops or early deployment OS like Vista)
    Wrkstn Mgmt Security Groups OU (for Executive Mgmt OU only)[/code]
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Search Engine Friendly URLs by vBSEO