HPE Community
Windows Server 2003
1830207 Members
1916 Online
109999 Solutions
New Discussion

Re: Windows AD unknown devices cannot change passwords

 
iinfi1
Super Advisor

‎02-02-2010 09:45 PM

‎02-02-2010 09:45 PM

Windows AD unknown devices cannot change passwords

we have a windows 2003 AD in a corporate network.
there are a lot of unknown devices (computers) added to the Windows Domain.
Is there any security policy which can allow users to login to the windows Ad and DISALLOW users to change passwords from those unknown devices
0 Kudos
4 REPLIES 4
Pieter 't Hart
Honored Contributor

‎02-04-2010 07:07 AM

‎02-04-2010 07:07 AM

Re: Windows AD unknown devices cannot change passwords

password policies are aplied at the domain level.
so it' either for all users or none.

if you want't different password policies you need a separate domain (or subdomain).

apart from this I don't understand the part "unknown computers added to the domain".
as you've added them the are known to the domain?
0 Kudos
iinfi1
Super Advisor

‎02-06-2010 09:14 PM

‎02-06-2010 09:14 PM

Re: Windows AD unknown devices cannot change passwords

ohk .. thank you ...
0 Kudos
WFHC-WI
Honored Contributor

‎02-11-2010 10:54 AM

‎02-11-2010 10:54 AM

Re: Windows AD unknown devices cannot change passwords

hi iinfi,

If you are able to upgrade your domain controllers to 2008 you get the ability to set different password policies instead of just one for the domain.

Since the ability to change a password is a user-level permission and has nothing to do with PCs, you have to prevent users from changing their passwords on ANY machine, not specific ones. There is a GPO to do this if you like. See this article:
http://support.microsoft.com/kb/324744

However (and now for the good part) the second portion of the article suggests you can do what you're attempting with some effort....

Apply a new domain-wide GPO that includes a computer start-up script that does the following:
>Read the keys below HKEY_USERS
>Filter for the ones beginning with S-1-5-21
>Filter for the ones that don't end with Classes
This gives you the SIDs for Administrator, Guest, and any accounts that have logged into the PC.
>For each of these, edit

HKEY_USERS\**SID**\Software\Microsoft\Windows\CurrentVersion\Policies
with the new DWORD value DisableChangePassword then set the value to 1

>Also, do this for the default profile

Maybe the whole script looks something like this.

1.) reg query HKU | find "S-1-5-21" | find /v "Classes" >> C:\SIDs.txt

2.) for /f %%a in (C:\SIDs.txt) do "reg add HKU\%%a\Software\Microsoft\Windows\CurrentVersion\Policies /v DisableChangePassword /t REG_DWORD /d 1"

3.)reg add HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies /v DisableChangePassword /t REG_DWORD /d 1

4.) del C:\SIDs.txt


Phew! We're getting towards the finish line.

Block policy inheritance on any OUs in your organization that you know contain trusted machines. This way, the policy will only apply to those unknown devices that have been dumped into the Computers container.

Anyone logging in to a PC where this startup script runs will see their "Change Password..." box greyed out. To change this once a machine is trusted, create a second startup script that does the same thing but sets the value to 0. Link it to all the OUs that contain PCs you do trust.

Done! :) good luck
0 Kudos
iinfi1
Super Advisor

‎02-14-2010 12:23 AM

‎02-14-2010 12:23 AM

Re: Windows AD unknown devices cannot change passwords

thank you for your detailed reply sir.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.