Password complexity setting is disabled in default domain GPO. I need to enable it on one server, but I don't have the access to edit this GPO on the domain level. When I open local security settings on the server, option to enable (or disable) is grayed out. Is there a way to override default domain GPO for password complexity locally in the registry? And to keep it that way, to stop GPO from being propagated down from domain level to this particular server?
There are two moments in your case. First you can't use a local group policy for domain accounts because AD accounts store on only DCs. Only Domain Controller Polices. And ones apply only to user accounts. Not computer accounts. Second you can use a local group policy for edit settings for only local user accounts. Run the gpedit.msc command on local server for it.
But since Windows 2008 Domain you can separate password policy for different user groups. You can read about it here for example
https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
Good luck.
Related
How are the following settings, located under Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options, related:
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
determines whether a user can log on to a Windows domain by using cached account information
Network access: Do not allow storage of passwords and credentials for network authentication
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication
Is CachedLogonsCount just a more fine-grained policy, with DisableDomainCreds the same as setting CachedLogonsCount to 0?
CachedLogonsCount controls how many previous local logons are cached locally, so the user can sign-in to the machine in case the domain controller is unavailable. Very important difference: Windows does not cache the actual credentials, only a hash used to verify the password. This means even compromising the stored information does not give access to any domain credentials. Reference.
DisableDomainCreds controls if the actual credentials are cashed so a user can access domain resources without re-authenticating during their session. If you enable this policy, a user will be force to re-type their password every time they access a network resource, e.g. a network share. This functionality stores the actual credentials. Reference.
Two answer your question: No, these are two different mechanisms with different goals.
When you restore VM (that belongs to a windows domain) from (an old enough) snapshot you'll get this error:
trust relationship between this machine and domain failed
This happens because domain controller periodically renews computer account password (and maybe few other things).
Is there any way to configure domain controller (or anything else) in such way that this doesn't happen? I don't care about security risks/etc -- all this is in controlled environment.
Two solutions:
You can try the policy like #Harry mentioned to disable machine password: Reference: Domain member: Disable machine account password changes
Per the article: The Domain member: Disable machine account password changes policy setting determines whether a domain member periodically changes its computer account password. Setting its value to Enabled prevents the domain member from changing the computer account password. While not recommended for production environments, setting the value to Enabled his is what you would set the value at in your controlled environment which would eliminate the identified problem.
Another way to handle it is using PowerShell. This won't prevent it from happening but will solve it, you can put it in a script and use:
Test-ComputerSecureChannel –Server dc -Repair Reference: Test-ComputerSecureChannel
For those of us using a production domain controller, it's easier to do this on the VMs.
Set this in the registry to disable automatic machine account password changes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000001
If you ever get "The trust relationship between this workstation and the primary domain failed", one easy fix is to log in as local admin (or a domain account with network disconnected) and use the powershell Reset-ComputerMachinePassword cmdlet as follows:
$credential = Get-Credential
# Enter domain admin account when prompted
Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere -Credential $credential
IIS 7.0+ uses a concept of so-called virtual accounts to identify application pools (IIS AppPool\apppoolname). Do those accounts have profiles and can be local environment variables set for them? How?
The very bottom of this blog post says the virtual accounts cant be managed, they just don't appear in user searches within windows so it sounds like its possible:
http://weblogs.asp.net/owscott/managed-service-accounts-msa-and-virtual-accounts
*IIS and Virtual Accounts
For IIS and Virtual Accounts, the user is called “IIS AppPool{apppoolname}”. For example, “IIS AppPool\DefaultAppPool”. Note that Virtual Accounts can’t be found with the Windows Select Users or Groups tool, but if you type in the name specifically, it can be managed there.*
Alternatelively, You could create a local user account on the server and set the app pool to run as that account.
With regards to editing Environment variables for another user, this post says you can do it in the registry.
https://serverfault.com/questions/397966/windows-how-to-set-environment-variable-for-another-user
Yes, those accounts have their own profiles and you can set environment variables specifically for each account.
Just use a server-side page to set the variable and you can then use it.
I have a PowerShell script to demonstrate that this works in an answer over on ServerFault.
In the advanced settings for the application pool, make sure that Load User Profile is True but this is the default.
I have a PC (Windows 7) that has a domain user. Because of some maintenance issues the PC is not in the company that has the domain user. There is no access to the domain through the internet.
I need to add this domain user into one of the local groups. I tried to to this by means of the Local Users and Groups panel of the Windows. It was not possible of course. Location of the user is only the local PC, domain is not accessible. As the local admin account I have also tried command line
net localgroup "My Group" Domain\user1 /add
However this also did not work. Is there any way to add a domain user into a local group when the domain is not available?
No, not without joining the computer to the domain containing the domain user to add locally or at least to a domain for which a trust exists with the domain containing the user to add locally.
http://technet.microsoft.com/en-us/library/cc739265(v=ws.10).aspx
• If the computer is joined to a domain, you can add user accounts, computer accounts, and group accounts from that domain and from trusted domains to a local group.
I have a server which runs Windows Server 2008 R2 Standard. I have admin rights and I can login through Remote Desktop Connection and access the server.
I wanted to create an account so that my office staff can access (restricted access) and only from office systems. I do not want access from any other location.
Is it possible ?
Thanks,
GR
There are several ways to lock down and secure the RDP services of a particular machine. As with most local services and GPO settings Windows is quite good at making it easy to tailor permissions based on user(s), computer(s) and by group(s).
First off I would personally add RDP permissions on a per user basis, rather than giving staff members one central login to use. There are several reasons for this, mostly down to ease of use and system security.
In the "System Properties" of the Windows Server, I assume you've ticked the box to allow a RDP connection to the server. - Just under that there's a checkbox you should tick in order to only allow connections with NLA (Network Level Authentication). Proceed to "Select Users" and choose the staff you wish to give RDP permissions too.
I'm going to assume that your RDP connection is working as you've stated that you're able to connect, we'll leave local RDP GPO settings and initial Windows Firewall configuration, please leave a comment if you'd like me to include it.
In the Windows Firewall for the server on the exceptions tab, edit the settings for Remote Desktop Connection. Click "Change Scope" and tick the box that says "My Nntwork (subnet) only".
This will only allow RDP connections from local machines within the servers subnet (office machines) and connections from the users you specified earlier on (Office staff).
As for the restricted access part, short of making a new local limited user on the server there's not much you can do to protect everything.
I hope this clears it up for you.