Local users password policy different from complex domain password policy?

By mance_n ·
I have Default domain GPO that says that all the password should be complex, I know that I can't set different password GPO for OU because of Windows Server 2003 = one domain, one default password policy).

I have one computer with Windows Server 2003, member of my domain, and normally when i log on to it on the domain it has the password complexity from the default domain GPO but, my question is:

How to set when someone log on this computer locally (with some local user account, not from the domain), to log in with simple (not complex) password, because even log in locally the local accounts take the complexity for the passwords from default domain GPO???

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by BFilmFan In reply to Local users password poli ...

If the system is a member of the domain, you could not change the password to a less complex one once you apply that policy.

All you could do is disable the user from changing the password and set the password to never expire. I don't recommend on doing that on ANY account other than service accounts which are being used to start services on mutliple systems and having a password change could effect multiple systems.

You would need to remove the system from the domain, set a simple password, set the user to not be able to change the password or have it expire and the put it back into the domain for that mentioned method to work.

Collapse -


by mance_n In reply to Answer

Thanks for your answer,

but my idea is that I want to retain the complex passwords for all computers in my domain, and to retain this "special" server in domain also, but when I log on this server with some local user account (not from the domain), then I need to log on with simple password.

And, I think, but I am not 100% (some 90% ) sure that my special request can't be done with only one domain raised up, because of the default GPO for my domain that says complex password to all computer accounts in that domain, no meter of which user log in to the computers.

I also found out that the GPO for computer accounts in one domain are stronger then the GPO for user account of that domain, or for any other local GPO.

Thanks again, and all the best.

Collapse -

What if???

by mance_n In reply to Thanks

What if I remove the system from the domain, set a simple password for all local user accounts, set the users to not be able to change the passwords and then put it back into the domain as you say.

My question is: Wouldn't again the default GPO for this computer account predominate over the all local user accounts???

Or, maybe I get your idea now, even if the GPO will predominate, the local users and their simple passwords (which are set to never expire for example), who are applied before joining the computer in domain will remain simple again after joining the comp. in the domain.

I think, this should do the job, I will try, and informed you.

Thanks one again.

Collapse -

This will do...

by voldar In reply to What if???

but you have to take in consideration to NEVER try to change the local user password. Because the Default Domain GPO will apply.

Collapse -

local, site, domain, and OU

by CG IT In reply to This will do...

that is how GPOs are processed. If you log on locally, the local machine group policy is applied.

If this is a domain controller based on Windows Server 2003 [or 2000], there is a domain controller security settings which are different than domain security settings. Domain Controllers also are typically placed in a DC OU which is not nested with domain OU. So, you can change domain controller local machine security policies that are not effected by a domain security policy GPO. When you delegate authority, you can prevent domain admins from making changes to domain controllers.

Also note that local machine administrators account is not necessarily the domain administrators account. You can restrict local machine log on to the local machine user accounts.

Another note: Any server in an Active Directory environment should not have anyone but domain admins or enterprise admins logging on to it.

For that matter you should not allow users local machine access [though you could using mandatory profiles]. Domain users typically don't need local machine access unless their remote users. Even then, you can use hardware profiles for domain and non domain user activities providing users use of their laptop at home and use a work without letting them have local machine access thus potentially mucking up their machine.

Collapse -

Helpful, but ...

by mance_n In reply to local, site, domain, and ...


but my server for which I am talking about is not a Domain Controller, yes it has Windows Server 2003 and is only a member server in the domain and for some special rezones he must stay in the domain.

But on it, the remote users must log on to and they log in to it trough application from a PDA wireless devices and that is way a want simple password for them, not to bother them typing complex passwords from this (relatively old) wireless devices they had.

I don't know about hardware profiles for domain and non domain user and how to use them ???

I must say that I done, as I wrote in my "What if???" post and I get what a wanted, my problem is solved now and I can sleep happy )):)

Collapse -

If the server is a member server of a domain

by CG IT In reply to Helpful, but ...

and you require complex passwords, it applies domain wide and to all computers, servers and user objects in the domain. Just no way around it without resorting to using a different domain.

Collapse -

There is a way

by mance_n In reply to What if???

But, there is a way around for local user, as I described in my "What if???" post, and here it is once again:

I have removed my member server temporary from domain, reset all local group policies to simple password login, crate 20 local users on this server and apply simple passwords for all of them, and also apply password never expire for all of them. Then I have join the member server in the domain again, and voala...

Even that, my server (on computer level) have taken the default domain password policy with complex password in it, my local users can log in locally on it with their simple passwords, defined earlier.

The thing is that if I want to add new local user, his password needs to be complex or I should repeat disjoin -> join steps again.

Tested, and it works.

Related Discussions

Related Forums