| Author | Messages | |
scottbean
Posts:6
 | | 02/17/2009 9:41 AM |
| Scenario:
Active Directory running in Windows 2003 Native Mode.
Client machines are a combo of Mac and Windows.
For sake of simplicity I have to user groups - Teachers and Students.
What I need to accomplish is for the teachers (on mac and windows) to have a strict password policy. But not the students (students also need the ability to change their passwords).
Again for simplicity sake, I have two OUs. One for students with users and computers under it. And one for teachers with users and computers under it. I have applied a password policy under the teacher OU and it works for windows. I am assuming it will not work for Mac since it is a computer policy. Also if a teacher logs onto a student machine they wont get that policy. Is there a way to make this scenario work? Ie Teachers on any machine(windows or mac) having the password policy I created?
Thanks,
Scott
| | | |
| shanewilliford
Posts:46
| | 02/17/2009 9:45 AM |
| There is no way to implement policies for MAC w/out a 3rd party solution, unless GPP has something I'm not aware of as I don't use that (yet...Darren & others can clarify?). A solution we just implemented (still in the building stage actually) is Centrify's DirectControl solution, which implements AD polices on MAC comptuers.
Regards.
Shane M. Williford
Systems Administrator
MCSE, MCSA Sec, Sec+, Net+, A+
Mazuma Credit Union
9300 Troost
Kansas City, MO 64131
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
816-361-4194 x6012
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 8:35 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Password Policy
Scenario:
Active Directory running in Windows 2003 Native Mode.
Client machines are a combo of Mac and Windows.
For sake of simplicity I have to user groups - Teachers and Students.
What I need to accomplish is for the teachers (on mac and windows) to have a strict password policy. But not the students (students also need the ability to change their passwords).
Again for simplicity sake, I have two OUs. One for students with users and computers under it. And one for teachers with users and computers under it. I have applied a password policy under the teacher OU and it works for windows. I am assuming it will not work for Mac since it is a computer policy. Also if a teacher logs onto a student machine they wont get that policy. Is there a way to make this scenario work? Ie Teachers on any machine(windows or mac) having the password policy I created?
Thanks,
Scott
________________________________
Notice: The information transmitted in this e-mail may contain confidential and/ or legally privileged information intended only for the use of the individual(s) named above. Review, use, disclosure, distribution, or forwarding of this information by persons or entities other than the intended recipient(s) is prohibited by law and may subject them to criminal or civil liabilities. Statements and opinion expressed in this e-mail may not represent those of Mazuma Credit Union. All e-mail communications through Mazuma's corporate email system are subject to archiving and review by someone other than the recipient. If you have received this communication in error, please notify the sender immediately and delete/destroy any and all copies of the original message from any computer or network system.
| | | |
| scottbean
Posts:6
| | 02/17/2009 10:00 AM |
| The policy settings are computer based, correct? So in my setup this should be put at the domain level and not the OU? So, the way it is setup now even though it kind of works is wrong? What I mean is that if a teacher logs into a teacher machine under the teacher OU, they get the password policy that is on that OU. If a student logs onto a student machine under the student OU they do not get that policy.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 17, 2009 9:44 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Password Policy
Scott-
There can only be one password policy for AD user accounts within a given AD domain. Any password policy that you are applying to computers in OUs is only going to affect local accounts defined on those workstations or member servers. You would need either a 3rd party product like SpecOps Password Policy or Server 2008 with its fine-grained password policies feature to get that kind of granular password policy control.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 6:35 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Password Policy
Scenario:
Active Directory running in Windows 2003 Native Mode.
Client machines are a combo of Mac and Windows.
For sake of simplicity I have to user groups - Teachers and Students.
What I need to accomplish is for the teachers (on mac and windows) to have a strict password policy. But not the students (students also need the ability to change their passwords).
Again for simplicity sake, I have two OUs. One for students with users and computers under it. And one for teachers with users and computers under it. I have applied a password policy under the teacher OU and it works for windows. I am assuming it will not work for Mac since it is a computer policy. Also if a teacher logs onto a student machine they wont get that policy. Is there a way to make this scenario work? Ie Teachers on any machine(windows or mac) having the password policy I created?
Thanks,
Scott
| | | |
| Darren
Posts:103
| | 02/17/2009 10:15 AM |
| Actually, when you implement most of the Mac AD solutions out there, the
user accounts become subject to the native domain policy, so there is no
difference, as far as I'm aware of, in that behavior when logging into a
Mac. In terms of deliver other Group Policies to the Mac, both Centrify and
Vintela/Quest have this support. I'm partial to the Quest technology but I
suspect both will do the job.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Shane Williford
Sent: Tuesday, February 17, 2009 6:41 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Password Policy
There is no way to implement policies for MAC w/out a 3rd party solution,
unless GPP has something I'm not aware of as I don't use that (yet.Darren &
others can clarify?). A solution we just implemented (still in the building
stage actually) is Centrify's DirectControl solution, which implements AD
polices on MAC comptuers.
Regards.
Shane M. Williford
Systems Administrator
MCSE, MCSA Sec, Sec+, Net+, A+
Mazuma Credit Union
9300 Troost
Kansas City, MO 64131
xxxxxxxxxxxxxxxx
816-361-4194 x6012
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 8:35 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Password Policy
Scenario:
Active Directory running in Windows 2003 Native Mode.
Client machines are a combo of Mac and Windows.
For sake of simplicity I have to user groups - Teachers and Students.
What I need to accomplish is for the teachers (on mac and windows) to have a
strict password policy. But not the students (students also need the
ability to change their passwords).
Again for simplicity sake, I have two OUs. One for students with users and
computers under it. And one for teachers with users and computers under it.
I have applied a password policy under the teacher OU and it works for
windows. I am assuming it will not work for Mac since it is a computer
policy. Also if a teacher logs onto a student machine they wont get that
policy. Is there a way to make this scenario work? Ie Teachers on any
machine(windows or mac) having the password policy I created?
Thanks,
Scott
_____
Notice: The information transmitted in this e-mail may contain confidential
and/ or legally privileged information intended only for the use of the
individual(s) named above. Review, use, disclosure, distribution, or
forwarding of this information by persons or entities other than the
intended recipient(s) is prohibited by law and may subject them to criminal
or civil liabilities. Statements and opinion expressed in this e-mail may
not represent those of Mazuma Credit Union. All e-mail communications
through Mazuma's corporate email system are subject to archiving and review
by someone other than the recipient. If you have received this communication
in error, please notify the sender immediately and delete/destroy any and
all copies of the original message from any computer or network system.
| | | |
| scottbean
Posts:6
| | 02/17/2009 10:17 AM |
| Re-read what you said Darren. So basically the way I have it setup now will on affect the machines (windows) under the OU that I have this policy applied. And if the user happens to be on a windows machine under that OU when the password change is up then I will get the policy. Otherwise if they are on any other machine then they won't. If I set it at the domain level it will affect all my users, is this because it will also affect my domain controllers, since it is a computer policy? Am I understanding this correctly?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 17, 2009 9:44 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Password Policy
Scott-
There can only be one password policy for AD user accounts within a given AD domain. Any password policy that you are applying to computers in OUs is only going to affect local accounts defined on those workstations or member servers. You would need either a 3rd party product like SpecOps Password Policy or Server 2008 with its fine-grained password policies feature to get that kind of granular password policy control.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 6:35 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Password Policy
Scenario:
Active Directory running in Windows 2003 Native Mode.
Client machines are a combo of Mac and Windows.
For sake of simplicity I have to user groups - Teachers and Students.
What I need to accomplish is for the teachers (on mac and windows) to have a strict password policy. But not the students (students also need the ability to change their passwords).
Again for simplicity sake, I have two OUs. One for students with users and computers under it. And one for teachers with users and computers under it. I have applied a password policy under the teacher OU and it works for windows. I am assuming it will not work for Mac since it is a computer policy. Also if a teacher logs onto a student machine they wont get that policy. Is there a way to make this scenario work? Ie Teachers on any machine(windows or mac) having the password policy I created?
Thanks,
Scott
| | | |
| Darren
Posts:103
| | 02/17/2009 10:27 AM |
| I think it ends up depending upon what technology you're using to integrate
your Macs into AD but yes, that should be the case -the domain-based
password policy should only affect the AD user accounts of the folks logging
into the Macs.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 7:15 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Password Policy
Forgot to mention that none of this will affect my mac users, right? Just
the initial user creation or password change via AD? Assuming I put it at
the domain level.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 10:13 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Password Policy
Re-read what you said Darren. So basically the way I have it setup now will
on affect the machines (windows) under the OU that I have this policy
applied. And if the user happens to be on a windows machine under that OU
when the password change is up then I will get the policy. Otherwise if
they are on any other machine then they won't. If I set it at the domain
level it will affect all my users, is this because it will also affect my
domain controllers, since it is a computer policy? Am I understanding this
correctly?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 17, 2009 9:44 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Password Policy
Scott-
There can only be one password policy for AD user accounts within a given AD
domain. Any password policy that you are applying to computers in OUs is
only going to affect local accounts defined on those workstations or member
servers. You would need either a 3rd party product like SpecOps Password
Policy or Server 2008 with its fine-grained password policies feature to get
that kind of granular password policy control.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 6:35 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Password Policy
Scenario:
Active Directory running in Windows 2003 Native Mode.
Client machines are a combo of Mac and Windows.
For sake of simplicity I have to user groups - Teachers and Students.
What I need to accomplish is for the teachers (on mac and windows) to have a
strict password policy. But not the students (students also need the
ability to change their passwords).
Again for simplicity sake, I have two OUs. One for students with users and
computers under it. And one for teachers with users and computers under it.
I have applied a password policy under the teacher OU and it works for
windows. I am assuming it will not work for Mac since it is a computer
policy. Also if a teacher logs onto a student machine they wont get that
policy. Is there a way to make this scenario work? Ie Teachers on any
machine(windows or mac) having the password policy I created?
Thanks,
Scott
| | | |
| scottbean
Posts:6
| | 02/17/2009 11:03 AM |
| One last question. If I were to go to 2008 and I set password policies at the domain level (one for students and one for teachers) would this have any affect on my mac users? I assume they would since they have to authenticate against the DCs or am I totally off base?
Thanks for all the quick responses.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 17, 2009 10:20 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Password Policy
I think it ends up depending upon what technology you're using to integrate your Macs into AD but yes, that should be the case -the domain-based password policy should only affect the AD user accounts of the folks logging into the Macs.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 7:15 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Password Policy
Forgot to mention that none of this will affect my mac users, right? Just the initial user creation or password change via AD? Assuming I put it at the domain level.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 10:13 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Password Policy
Re-read what you said Darren. So basically the way I have it setup now will on affect the machines (windows) under the OU that I have this policy applied. And if the user happens to be on a windows machine under that OU when the password change is up then I will get the policy. Otherwise if they are on any other machine then they won't. If I set it at the domain level it will affect all my users, is this because it will also affect my domain controllers, since it is a computer policy? Am I understanding this correctly?
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 17, 2009 9:44 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Password Policy
Scott-
There can only be one password policy for AD user accounts within a given AD domain. Any password policy that you are applying to computers in OUs is only going to affect local accounts defined on those workstations or member servers. You would need either a 3rd party product like SpecOps Password Policy or Server 2008 with its fine-grained password policies feature to get that kind of granular password policy control.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Bean, Scott
Sent: Tuesday, February 17, 2009 6:35 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Password Policy
Scenario:
Active Directory running in Windows 2003 Native Mode.
Client machines are a combo of Mac and Windows.
For sake of simplicity I have to user groups - Teachers and Students.
What I need to accomplish is for the teachers (on mac and windows) to have a strict password policy. But not the students (students also need the ability to change their passwords).
Again for simplicity sake, I have two OUs. One for students with users and computers under it. And one for teachers with users and computers under it. I have applied a password policy under the teacher OU and it works for windows. I am assuming it will not work for Mac since it is a computer policy. Also if a teacher logs onto a student machine they wont get that policy. Is there a way to make this scenario work? Ie Teachers on any machine(windows or mac) having the password policy I created?
Thanks,
Scott
| | | |
|
|