Information Technology Reference
In-Depth Information
Domain Policy. This way, you can revert to the default account policies easily by unlinking the
new GPO.
1. Log on to your server as Administrator, if necessary.
2. Open GPMC, and click the
Group Policy Objects
folder. Create a GPO in this folder named
AccountGPO
.
3. Right-click
AccountGPO
and click
Edit
. In GPME, click to expand
Computer Configuration
,
Policies
,
Windows Settings
,
Security Settings
, and
Account Policies
, and then click
Password
Policy
. In the right pane, double-click
Enforce password history
. Click the
Define this policy
setting
check box, leave the Passwords remembered value at 0, and then click
OK
.
To see a detailed description of any policy, double-click the policy, and click
the Explain tab in its Properties dialog box.
4. In the right pane of GPME, double-click
Minimum password age
. Click the
Define this
policy setting
check box, set the value to
0
days so that passwords can be changed immedi-
ately, and then click
OK
. Windows provides a suggested value for Maximum password age
because this policy must be defined if Minimum password age is defined. Click
OK
to accept
the suggested value.
5. Before you test this policy, see how things work with the current policy in place. The default
value for the policy you changed is 24, which means you shouldn't be able to change your
password to the same value. Press
Ctrl+Alt+Del
, and then click
Change a password
. In the
Old password text box, type your current password. In the New password and Confirm
password text boxes, type your current password. Click the arrow next to the Confirm pass-
word text box. You get a message stating that Windows is unable to update the password.
Click
OK
, and then click
Cancel
twice.
6. In GPMC, link
AccountGPO
to the domain. AccountGPO is added with link order 2, but
you want its settings to take precedence, so change the link order to
1
.
7. Open a command prompt window, type
gpupdate
, and press
Enter
. When Gpupdate.exe is
finished, try to change your password again, still using the same password for both the old
and new passwords. You should be successful.
8. Leave GPME open if you're going on to the next activity.
Activity 7-13: Working with Account Lockout Policy
Time Required:
15 minutes
Objective:
Change and test account policies.
Description:
As a continuation from the previous activity, you change settings in Account
Lockout Policy and test your changes.
1. Log on to your server as Administrator, if necessary.
2. Open GPMC, if necessary. Right-click
AccountGPO
and click
Edit
. In GPME, click to
expand
Computer Configuration
,
Policies
,
Windows Settings
,
Security Settings
, and
Account
Policies,
and then click
Account Lockout Policy
. Double-click
Account lockout threshold.
Click the
Define this policy setting
check box, change the invalid logon attempts value to
2
,
and then click
OK
.
3. The Suggested Value Changes dialog box suggests values for the Account lockout duration
and Reset account lockout counter after settings. Click
OK
to accept these settings.
4. Open a command prompt window, type
gpupdate
, and press
Enter
. (Password policies that
affect domain users are stored on domain controllers, not member computers, so the policy
must be updated on the domain controller.)
Search WWH ::
Custom Search