| Author | Messages | |
frevere
Posts:18
 | | 03/23/2010 2:43 PM |
| I have a question about default domain policy and Active Directories
default containers. Our organization set the password policies in the
default domain policy. We do not want this policy to apply to the
default user container where many of our service accounts are. We have
a manual policy for changing these. Does the default domain policy
apply to the users container?
| | | |
| mkline
Posts:10
| | 03/23/2010 3:08 PM |
| Yes, the password policy from the default domain policy will apply to the
users within the default users container. You just can't link a GPO to the
container but domain GPOs do flow down.
Not sure what version you are on but if your domain is at the 2008
functional level you can use fine-grained passwords to apply different
policies to users and/or groups.
If you are at 2003 then there are third party tools that can help with
different password policies (specops is a well known product that does this)
Thanks
Mike
On Tue, Mar 23, 2010 at 10:42 AM, Francis Revere <xxxxxxxxxxxxxxxx>wrote:
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the default
> user container where many of our service accounts are. We have a manual
> policy for changing these. Does the default domain policy apply to the
> users container?
>
| | | |
| JamieNelson
Posts:166
| | 03/23/2010 3:13 PM |
| In Windows 2003 and earlier domains, you can only have one password
policy for the entire domain and that is usually set in your default
domain policy or equivalent. Unless you utilize third-party tools there
is no way around this.
However, Windows 2008 domains introduced Fine-Grained Password Policies
which lets you have multiple password configurations. You can read about
it here
<http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx> or
just do a Google search on it and you should fine tons of information.
Regards,
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 9:42 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Container question
I have a question about default domain policy and Active Directories
default containers. Our organization set the password policies in the
default domain policy. We do not want this policy to apply to the
default user container where many of our service accounts are. We have
a manual policy for changing these. Does the default domain policy
apply to the users container?
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
| alps
Posts:5
| | 03/23/2010 3:16 PM |
| Hi Francis,
It will apply to users container. The default domain policy applies to everybody.
Thanks and Regards,
Alpesh S Kumar
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 8:12 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Container question
I have a question about default domain policy and Active Directories default containers. Our organization set the password policies in the default domain policy. We do not want this policy to apply to the default user container where many of our service accounts are. We have a manual policy for changing these. Does the default domain policy apply to the users container?
This communication is for informational purposes only. It is not
intended as an offer or solicitation for the purchase or sale of
any financial instrument or as an official confirmation of any
transaction. All market prices, data and other information are not
warranted as to completeness or accuracy and are subject to change
without notice. Any comments or statements made herein do not
necessarily reflect those of JPMorgan Chase & Co., its subsidiaries
and affiliates.
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to European legal entities.
| | | |
| frevere
Posts:18
| | 03/23/2010 3:31 PM |
| Thanks Kumar. I know that policies are applied LSDOU, and now knowing
that the default domain policy filters down to all objects below, what
you are saying is that any service account that has no password
expiration will NOT be affected by the policy. Correct? Please forgive
that I have to reiterate, but I want to make sure about this, as we have
a service account (currently set with no password expiration) that is
used to run services on several servers, that we manually change during
our maintenance periods, that we cannot have to lock out or be forced to
change per the policy.
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alpesh S Kumar
Sent: Tuesday, March 23, 2010 11:15 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Also, normally the service accounts should not have passwords
set to expire. So if you go to your service account and check "Password
never expires" that should take precedence. Ensure that you do this only
for service accounts. If you set it at user object level, then this
setting takes precedence and Default domain policy will not apply
specific to the password expiry policy.
My few cents.
Thanks and Regards,
Alpesh S Kumar
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 8:12 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Container question
I have a question about default domain policy and Active
Directories default containers. Our organization set the password
policies in the default domain policy. We do not want this policy to
apply to the default user container where many of our service accounts
are. We have a manual policy for changing these. Does the default
domain policy apply to the users container?
This communication is for informational purposes only. It is not
intended as an offer or solicitation for the purchase or sale of any
financial instrument or as an official confirmation of any transaction.
All market prices, data and other information are not warranted as to
completeness or accuracy and are subject to change without notice. Any
comments or statements made herein do not necessarily reflect those of
JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission
may contain information that is privileged, confidential, legally
privileged, and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED. Although
this transmission and any attachments are believed to be free of any
virus or other defect that might affect any computer system into which
it is received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable,
for any loss or damage arising in any way from its use. If you received
this transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard copy
format. Thank you. Please refer to
http://www.jpmorgan.com/pages/disclosures for disclosures relating to
European legal entities.
| | | |
| jsclmedave
Posts:67
| | 03/23/2010 3:31 PM |
| Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password policy
> for the entire domain and that is usually set in your default domain policy
> or equivalent. Unless you utilize third-party tools there is no way around
> this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password Policies
> which lets you have multiple password configurations. You can read about it
> here or just do a Google search on it and you should fine tons of
> information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy
> Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories default
> containers. Our organization set the password policies in the default
> domain policy. We do not want this policy to apply to the default user
> container where many of our service accounts are. We have a manual policy
> for changing these. Does the default domain policy apply to the users
> container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended only
> for the use of the intended recipient(s), are confidential, and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, retransmission, conversion to hard copy, copying,
> circulation or other use of all or any portion of this message and any
> attachments is strictly prohibited. If you are not the intended recipient,
> please notify the sender immediately by return e-mail, and delete this
> message and any attachments from your system.
>
>
| |
Tim Bolton | |
| frevere
Posts:18
| | 03/23/2010 3:39 PM |
| Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point Tim. When I am saying service account, I am referring to a user account in AD that is used to start and run specific services on the servers. These are still user accounts and thus as have already been pointed out, are subject the default domain policy even though they are in the users conatainer and not an OU. I just need to confirm that by setting these accounts to "no password expiration", would stop the policy from being applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
| | | |
| JamieNelson
Posts:166
| | 03/23/2010 3:49 PM |
| Tim, when someone says "Service" account, they are generally referring to a user object that is dedicated to run a specific service or services, as Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the password from expiring, but that doesn't mean that password policy is circumvented by doing so. You would still be subject to any length, history, and complexity requirements specified in your default domain policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point Tim. When I am saying service account, I am referring to a user account in AD that is used to start and run specific services on the servers. These are still user accounts and thus as have already been pointed out, are subject the default domain policy even though they are in the users conatainer and not an OU. I just need to confirm that by setting these accounts to "no password expiration", would stop the policy from being applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
| | | |
| frevere
Posts:18
| | 03/23/2010 4:04 PM |
| Thanks Tim, Jamie, Kumar
That really sets my mind at ease. The password policy for the service accounts, even though they are managed manually, are much more restrictive than what we have just implemented for the users per the domain policy, so that will not be an issue.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Tuesday, March 23, 2010 11:45 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, when someone says "Service" account, they are generally referring to a user object that is dedicated to run a specific service or services, as Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the password from expiring, but that doesn't mean that password policy is circumvented by doing so. You would still be subject to any length, history, and complexity requirements specified in your default domain policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point Tim. When I am saying service account, I am referring to a user account in AD that is used to start and run specific services on the servers. These are still user accounts and thus as have already been pointed out, are subject the default domain policy even though they are in the users conatainer and not an OU. I just need to confirm that by setting these accounts to "no password expiration", would stop the policy from being applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
| | | |
| Syspro
Posts:0
| | 03/23/2010 8:37 PM |
| Hi,
This may be a little bit pedantic, but it helps to explain the issue and the
answer becomes obvious.
The Password part of the default domain Policy does NOT apply to the default
user container. And this is really obvious, because the password settings
are set on the MACHINE side, not the USER side!
The Password policy applies to MACHINE because the machine controls
passwords, not users.
In the case of a Domain Account (including Domain Service Accounts) the
Domain Controller processing the change request that decides what
length/complexity etc your password must be and so it is the policy that
applies to the Domain Controller that counts.
In the case of a Local Account (including Domain Service Accounts) the local
Machine decides what length/complexity etc your password must be and so it
is the policy that applies to the local Machine that counts.
In the case of password expiry, each User account can set the flag "Password
does not expire". If this is set, the "expire in ?? days" set on the machine
will be ignored. However, if you do change the password,
length/complexity/history are enforced.
As an aside, on Windows 2000 ( I have never checked later versions) you
could actually get more than one password policy in effect on a domain, but
not the way you might hope. You could create two policies with different
password settings and then use security filtering so that one domain
controller got one policy and the second domain controller got the second
policy. If a domain user changed their password, depending which domain
controller handled the change you could get different rules applied. Now I
cannot think of any good reason why you would want to do this, if only
because you can't control which domain controller will process your password
change. However, it does reinforce the point that it is the policy applied
to the Domain Controller doing the change that really counts.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Francis Revere
Sent: Wednesday, 24 March 2010 3:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Thanks Tim, Jamie, Kumar
That really sets my mind at ease. The password policy for the service
accounts, even though they are managed manually, are much more restrictive
than what we have just implemented for the users per the domain policy, so
that will not be an issue.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie
Sent: Tuesday, March 23, 2010 11:45 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, when someone says "Service" account, they are generally referring to a
user object that is dedicated to run a specific service or services, as
Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the
password from expiring, but that doesn't mean that password policy is
circumvented by doing so. You would still be subject to any length, history,
and complexity requirements specified in your default domain policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy
Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point
Tim. When I am saying service account, I am referring to a user account in
AD that is used to start and run specific services on the servers. These
are still user accounts and thus as have already been pointed out, are
subject the default domain policy even though they are in the users
conatainer and not an OU. I just need to confirm that by setting these
accounts to "no password expiration", would stop the policy from being
applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
| | | |
| JamieNelson
Posts:166
| | 03/23/2010 8:44 PM |
| Great clarification Alan!
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret
Cuthbertson
Sent: Tuesday, March 23, 2010 3:07 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
This may be a little bit pedantic, but it helps to explain the issue and
the answer becomes obvious.
The Password part of the default domain Policy does NOT apply to the
default user container. And this is really obvious, because the password
settings are set on the MACHINE side, not the USER side!
The Password policy applies to MACHINE because the machine controls
passwords, not users.
In the case of a Domain Account (including Domain Service Accounts) the
Domain Controller processing the change request that decides what
length/complexity etc your password must be and so it is the policy that
applies to the Domain Controller that counts.
In the case of a Local Account (including Domain Service Accounts) the
local Machine decides what length/complexity etc your password must be
and so it is the policy that applies to the local Machine that counts.
In the case of password expiry, each User account can set the flag
"Password does not expire". If this is set, the "expire in ?? days" set
on the machine will be ignored. However, if you do change the password,
length/complexity/history are enforced.
As an aside, on Windows 2000 ( I have never checked later versions) you
could actually get more than one password policy in effect on a domain,
but not the way you might hope. You could create two policies with
different password settings and then use security filtering so that one
domain controller got one policy and the second domain controller got
the second policy. If a domain user changed their password, depending
which domain controller handled the change you could get different rules
applied. Now I cannot think of any good reason why you would want to do
this, if only because you can't control which domain controller will
process your password change. However, it does reinforce the point that
it is the policy applied to the Domain Controller doing the change that
really counts.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Wednesday, 24 March 2010 3:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Thanks Tim, Jamie, Kumar
That really sets my mind at ease. The password policy for the service
accounts, even though they are managed manually, are much more
restrictive than what we have just implemented for the users per the
domain policy, so that will not be an issue.
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Tuesday, March 23, 2010 11:45 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, when someone says "Service" account, they are generally referring
to a user object that is dedicated to run a specific service or
services, as Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the
password from expiring, but that doesn't mean that password policy is
circumvented by doing so. You would still be subject to any length,
history, and complexity requirements specified in your default domain
policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point
Tim. When I am saying service account, I am referring to a user account
in AD that is used to start and run specific services on the servers.
These are still user accounts and thus as have already been pointed out,
are subject the default domain policy even though they are in the users
conatainer and not an OU. I just need to confirm that by setting these
accounts to "no password expiration", would stop the policy from being
applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx>
wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
| | | |
| DamianCrosby
Posts:25
| | 04/13/2010 9:33 AM |
| Hi,
"In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts."
So does this also apply to the notification received by the user with regards to password expiry? For example we have applied (by way of a separate domain) a different password policy that needs to change every two weeks. Unfortunately the default value for the reminder is also 14 days (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon) which is proving to be annoying. Is there anyway to control this setting with regards to just these accounts? As its a machine based policy setting it would appear not...
Thanks.
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret Cuthbertson
Sent: 23 March 2010 20:07
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
This may be a little bit pedantic, but it helps to explain the issue and the answer becomes obvious.
The Password part of the default domain Policy does NOT apply to the default user container. And this is really obvious, because the password settings are set on the MACHINE side, not the USER side!
The Password policy applies to MACHINE because the machine controls passwords, not users.
In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts.
In the case of a Local Account (including Domain Service Accounts) the local Machine decides what length/complexity etc your password must be and so it is the policy that applies to the local Machine that counts.
In the case of password expiry, each User account can set the flag "Password does not expire". If this is set, the "expire in ?? days" set on the machine will be ignored. However, if you do change the password, length/complexity/history are enforced.
As an aside, on Windows 2000 ( I have never checked later versions) you could actually get more than one password policy in effect on a domain, but not the way you might hope. You could create two policies with different password settings and then use security filtering so that one domain controller got one policy and the second domain controller got the second policy. If a domain user changed their password, depending which domain controller handled the change you could get different rules applied. Now I cannot think of any good reason why you would want to do this, if only because you can't control which domain controller will process your password change. However, it does reinforce the point that it is the policy applied to the Domain Controller doing the change that really counts.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Wednesday, 24 March 2010 3:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Thanks Tim, Jamie, Kumar
That really sets my mind at ease. The password policy for the service accounts, even though they are managed manually, are much more restrictive than what we have just implemented for the users per the domain policy, so that will not be an issue.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Tuesday, March 23, 2010 11:45 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, when someone says "Service" account, they are generally referring to a user object that is dedicated to run a specific service or services, as Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the password from expiring, but that doesn't mean that password policy is circumvented by doing so. You would still be subject to any length, history, and complexity requirements specified in your default domain policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point Tim. When I am saying service account, I am referring to a user account in AD that is used to start and run specific services on the servers. These are still user accounts and thus as have already been pointed out, are subject the default domain policy even though they are in the users conatainer and not an OU. I just need to confirm that by setting these accounts to "no password expiration", would stop the policy from being applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
--------------------------------------------------------------------------
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| jeromelcruz
Posts:120
| | 04/13/2010 5:47 PM |
| For that other domain, just lower the default 14 day value to a shorter (perhaps 1 day, 2 days, or 3 days in advance) schedule.
Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive Logon: Prompt user to change password before expiration.
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture | Boeing IT
Office 425-865-6755 | Mobile 425-591-6491
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Crosby, Damian
Sent: Tuesday, April 13, 2010 1:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
"In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts."
So does this also apply to the notification received by the user with regards to password expiry? For example we have applied (by way of a separate domain) a different password policy that needs to change every two weeks. Unfortunately the default value for the reminder is also 14 days (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon) which is proving to be annoying. Is there anyway to control this setting with regards to just these accounts? As its a machine based policy setting it would appear not...
Thanks.
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret Cuthbertson
Sent: 23 March 2010 20:07
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
This may be a little bit pedantic, but it helps to explain the issue and the answer becomes obvious.
The Password part of the default domain Policy does NOT apply to the default user container. And this is really obvious, because the password settings are set on the MACHINE side, not the USER side!
The Password policy applies to MACHINE because the machine controls passwords, not users.
In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts.
In the case of a Local Account (including Domain Service Accounts) the local Machine decides what length/complexity etc your password must be and so it is the policy that applies to the local Machine that counts.
In the case of password expiry, each User account can set the flag "Password does not expire". If this is set, the "expire in ?? days" set on the machine will be ignored. However, if you do change the password, length/complexity/history are enforced.
As an aside, on Windows 2000 ( I have never checked later versions) you could actually get more than one password policy in effect on a domain, but not the way you might hope. You could create two policies with different password settings and then use security filtering so that one domain controller got one policy and the second domain controller got the second policy. If a domain user changed their password, depending which domain controller handled the change you could get different rules applied. Now I cannot think of any good reason why you would want to do this, if only because you can't control which domain controller will process your password change. However, it does reinforce the point that it is the policy applied to the Domain Controller doing the change that really counts.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Wednesday, 24 March 2010 3:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Thanks Tim, Jamie, Kumar
That really sets my mind at ease. The password policy for the service accounts, even though they are managed manually, are much more restrictive than what we have just implemented for the users per the domain policy, so that will not be an issue.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Tuesday, March 23, 2010 11:45 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, when someone says "Service" account, they are generally referring to a user object that is dedicated to run a specific service or services, as Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the password from expiring, but that doesn't mean that password policy is circumvented by doing so. You would still be subject to any length, history, and complexity requirements specified in your default domain policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point Tim. When I am saying service account, I am referring to a user account in AD that is used to start and run specific services on the servers. These are still user accounts and thus as have already been pointed out, are subject the default domain policy even though they are in the users conatainer and not an OU. I just need to confirm that by setting these accounts to "no password expiration", would stop the policy from being applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| DamianCrosby
Posts:25
| | 04/13/2010 6:04 PM |
| I was actually thinking more selectively though for users of type "a" only get notified at _this_ interval and users of type b adopt the standard notification defaults for example...As its a machine setting this is not possible me thinks...
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: 13 April 2010 17:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
For that other domain, just lower the default 14 day value to a shorter (perhaps 1 day, 2 days, or 3 days in advance) schedule.
Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive Logon: Prompt user to change password before expiration.
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture | Boeing IT
Office 425-865-6755 | Mobile 425-591-6491
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Crosby, Damian
Sent: Tuesday, April 13, 2010 1:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
"In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts."
So does this also apply to the notification received by the user with regards to password expiry? For example we have applied (by way of a separate domain) a different password policy that needs to change every two weeks. Unfortunately the default value for the reminder is also 14 days (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon) which is proving to be annoying. Is there anyway to control this setting with regards to just these accounts? As its a machine based policy setting it would appear not...
Thanks.
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret Cuthbertson
Sent: 23 March 2010 20:07
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
This may be a little bit pedantic, but it helps to explain the issue and the answer becomes obvious.
The Password part of the default domain Policy does NOT apply to the default user container. And this is really obvious, because the password settings are set on the MACHINE side, not the USER side!
The Password policy applies to MACHINE because the machine controls passwords, not users.
In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts.
In the case of a Local Account (including Domain Service Accounts) the local Machine decides what length/complexity etc your password must be and so it is the policy that applies to the local Machine that counts.
In the case of password expiry, each User account can set the flag "Password does not expire". If this is set, the "expire in ?? days" set on the machine will be ignored. However, if you do change the password, length/complexity/history are enforced.
As an aside, on Windows 2000 ( I have never checked later versions) you could actually get more than one password policy in effect on a domain, but not the way you might hope. You could create two policies with different password settings and then use security filtering so that one domain controller got one policy and the second domain controller got the second policy. If a domain user changed their password, depending which domain controller handled the change you could get different rules applied. Now I cannot think of any good reason why you would want to do this, if only because you can't control which domain controller will process your password change. However, it does reinforce the point that it is the policy applied to the Domain Controller doing the change that really counts.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Wednesday, 24 March 2010 3:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Thanks Tim, Jamie, Kumar
That really sets my mind at ease. The password policy for the service accounts, even though they are managed manually, are much more restrictive than what we have just implemented for the users per the domain policy, so that will not be an issue.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Tuesday, March 23, 2010 11:45 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, when someone says "Service" account, they are generally referring to a user object that is dedicated to run a specific service or services, as Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the password from expiring, but that doesn't mean that password policy is circumvented by doing so. You would still be subject to any length, history, and complexity requirements specified in your default domain policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point Tim. When I am saying service account, I am referring to a user account in AD that is used to start and run specific services on the servers. These are still user accounts and thus as have already been pointed out, are subject the default domain policy even though they are in the users conatainer and not an OU. I just need to confirm that by setting these accounts to "no password expiration", would stop the policy from being applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
--------------------------------------------------------------------------
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| jeromelcruz
Posts:120
| | 04/13/2010 6:15 PM |
| Say folks, here's something new you should be aware of...
==============================
New Types of Accounts
==============================
If you already have Windows Server 2008 R2 and or Windows 7 systems (or are going there soon), then know that the new operating systems support two new types of accounts called 1) Virtual accounts and 2) Managed Service Accounts (or MSA account).
For more details, see these links
What's New in Service Accounts
http://technet.microsoft.com/en-us/library/dd367859(WS.10).aspx
Service Accounts Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx
Managed Service Accounts (MSAs) versus virtual accounts in Windows Server 2008 R2
http://social.technet.microsoft.com/wiki/contents/articles/managed-service-accounts-msas-versus-virtual-accounts-in-windows-server-2008-r2.aspx
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture | Boeing IT
Office 425-865-6755 | Mobile 425-591-6491
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret Cuthbertson
Sent: Tuesday, March 23, 2010 1:07 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
This may be a little bit pedantic, but it helps to explain the issue and the answer becomes obvious.
The Password part of the default domain Policy does NOT apply to the default user container. And this is really obvious, because the password settings are set on the MACHINE side, not the USER side!
The Password policy applies to MACHINE because the machine controls passwords, not users.
In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts.
In the case of a Local Account (including Domain Service Accounts) the local Machine decides what length/complexity etc your password must be and so it is the policy that applies to the local Machine that counts.
In the case of password expiry, each User account can set the flag "Password does not expire". If this is set, the "expire in ?? days" set on the machine will be ignored. However, if you do change the password, length/complexity/history are enforced.
As an aside, on Windows 2000 ( I have never checked later versions) you could actually get more than one password policy in effect on a domain, but not the way you might hope. You could create two policies with different password settings and then use security filtering so that one domain controller got one policy and the second domain controller got the second policy. If a domain user changed their password, depending which domain controller handled the change you could get different rules applied. Now I cannot think of any good reason why you would want to do this, if only because you can't control which domain controller will process your password change. However, it does reinforce the point that it is the policy applied to the Domain Controller doing the change that really counts.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Wednesday, 24 March 2010 3:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Thanks Tim, Jamie, Kumar
That really sets my mind at ease. The password policy for the service accounts, even though they are managed manually, are much more restrictive than what we have just implemented for the users per the domain policy, so that will not be an issue.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Tuesday, March 23, 2010 11:45 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, when someone says "Service" account, they are generally referring to a user object that is dedicated to run a specific service or services, as Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the password from expiring, but that doesn't mean that password policy is circumvented by doing so. You would still be subject to any length, history, and complexity requirements specified in your default domain policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point Tim. When I am saying service account, I am referring to a user account in AD that is used to start and run specific services on the servers. These are still user accounts and thus as have already been pointed out, are subject the default domain policy even though they are in the users conatainer and not an OU. I just need to confirm that by setting these accounts to "no password expiration", would stop the policy from being applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
| | | |
| jeromelcruz
Posts:120
| | 04/13/2010 6:30 PM |
| Damian, that would essentially be correct...
However, once you have Windows Server 2008 in place, you get Fine Grained Password (FGP) policies. You create the new password policy and assign it to be applied to members of a domain security group. You add those users to the group and, voila, they get the customized settings you defined. However, as noted, Security Options settings are not a part of that. Hopefully, the FGP policies would be sufficient to your requirements (in other words, with those in place, perhaps you wouldn't need the warning changed).
For more info on Fine Grained Passwords (an 'MS step-by-step how-to' as well as links to 2 third party tools -one is an mmc snap-in and the other a PowerGUI snap-in), see the link below:
Windows Server 2008 - Fine Grained Password Policy Walkthrough
http://blogs.technet.com/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Crosby, Damian
Sent: Tuesday, April 13, 2010 9:36 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
I was actually thinking more selectively though for users of type "a" only get notified at _this_ interval and users of type b adopt the standard notification defaults for example...As its a machine setting this is not possible me thinks...
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Cruz, Jerome L
Sent: 13 April 2010 17:23
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
For that other domain, just lower the default 14 day value to a shorter (perhaps 1 day, 2 days, or 3 days in advance) schedule.
Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive Logon: Prompt user to change password before expiration.
Jerry Cruz | Group Policies Product Manager | Windows Server and Infrastructure Architecture | Boeing IT
Office 425-865-6755 | Mobile 425-591-6491
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Crosby, Damian
Sent: Tuesday, April 13, 2010 1:21 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
"In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts."
So does this also apply to the notification received by the user with regards to password expiry? For example we have applied (by way of a separate domain) a different password policy that needs to change every two weeks. Unfortunately the default value for the reminder is also 14 days (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon) which is proving to be annoying. Is there anyway to control this setting with regards to just these accounts? As its a machine based policy setting it would appear not...
Thanks.
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Alan and Margaret Cuthbertson
Sent: 23 March 2010 20:07
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Hi,
This may be a little bit pedantic, but it helps to explain the issue and the answer becomes obvious.
The Password part of the default domain Policy does NOT apply to the default user container. And this is really obvious, because the password settings are set on the MACHINE side, not the USER side!
The Password policy applies to MACHINE because the machine controls passwords, not users.
In the case of a Domain Account (including Domain Service Accounts) the Domain Controller processing the change request that decides what length/complexity etc your password must be and so it is the policy that applies to the Domain Controller that counts.
In the case of a Local Account (including Domain Service Accounts) the local Machine decides what length/complexity etc your password must be and so it is the policy that applies to the local Machine that counts.
In the case of password expiry, each User account can set the flag "Password does not expire". If this is set, the "expire in ?? days" set on the machine will be ignored. However, if you do change the password, length/complexity/history are enforced.
As an aside, on Windows 2000 ( I have never checked later versions) you could actually get more than one password policy in effect on a domain, but not the way you might hope. You could create two policies with different password settings and then use security filtering so that one domain controller got one policy and the second domain controller got the second policy. If a domain user changed their password, depending which domain controller handled the change you could get different rules applied. Now I cannot think of any good reason why you would want to do this, if only because you can't control which domain controller will process your password change. However, it does reinforce the point that it is the policy applied to the Domain Controller doing the change that really counts.
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Wednesday, 24 March 2010 3:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Thanks Tim, Jamie, Kumar
That really sets my mind at ease. The password policy for the service accounts, even though they are managed manually, are much more restrictive than what we have just implemented for the users per the domain policy, so that will not be an issue.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Tuesday, March 23, 2010 11:45 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, when someone says "Service" account, they are generally referring to a user object that is dedicated to run a specific service or services, as Francis just clarified.
Francis, doing what you've mentioned below would obviously prevent the password from expiring, but that doesn't mean that password policy is circumvented by doing so. You would still be subject to any length, history, and complexity requirements specified in your default domain policy.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 | http://www.dvn.com
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Francis Revere
Sent: Tuesday, March 23, 2010 10:39 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Container question
Tim, Kumar, Jamie, Darren,
Let me clarify, as I think I am confusing you, but you make a good point Tim. When I am saying service account, I am referring to a user account in AD that is used to start and run specific services on the servers. These are still user accounts and thus as have already been pointed out, are subject the default domain policy even though they are in the users conatainer and not an OU. I just need to confirm that by setting these accounts to "no password expiration", would stop the policy from being applied to these specific accounts.
Francis
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Tim Bolton
Sent: Tuesday, March 23, 2010 11:29 AM
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Container question
Jamie does that apply to "Service" accounts? When I see Service
account I am thinking a local server account not a network account...
Tim Bolton
148 2nd Street North
Central City Iowa, 52214
Microsoft Certified IT Professional
Blog - Http://timbolton.net/
On Tue, Mar 23, 2010 at 10:10 AM, Nelson, Jamie <xxxxxxxxxxxxxxxx> wrote:
> In Windows 2003 and earlier domains, you can only have one password
> policy for the entire domain and that is usually set in your default
> domain policy or equivalent. Unless you utilize third-party tools
> there is no way around this.
>
>
>
> However, Windows 2008 domains introduced Fine-Grained Password
> Policies which lets you have multiple password configurations. You can
> read about it here or just do a Google search on it and you should
> fine tons of information.
>
>
>
> Regards,
>
>
>
> Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
> Energy Corporation | Work: ' 405.552.8054 | Mobile: ' 405.248.7963 |
> http://www.dvn.com
>
>
>
> From: xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx]
> On Behalf Of Francis Revere
> Sent: Tuesday, March 23, 2010 9:42 AM
> To: xxxxxxxxxxxxxxxx
> Subject: [gptalk] Container question
>
>
>
> I have a question about default domain policy and Active Directories
> default containers. Our organization set the password policies in the
> default domain policy. We do not want this policy to apply to the
> default user container where many of our service accounts are. We
> have a manual policy for changing these. Does the default domain
> policy apply to the users container?
>
> ________________________________
>
> Confidentiality Warning: This message and any attachments are intended
> only for the use of the intended recipient(s), are confidential, and
> may be privileged. If you are not the intended recipient, you are
> hereby notified that any review, retransmission, conversion to hard
> copy, copying, circulation or other use of all or any portion of this
> message and any attachments is strictly prohibited. If you are not the
> intended recipient, please notify the sender immediately by return
> e-mail, and delete this message and any attachments from your system.
>
>
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
|
|