0

Greetings all,

We have an active directory domain which enforces a strict password policy. Hooray!

Now, for the project we are working on, we are going to be storing users of our website Microsoft's AD-LDS service as well as using that for authentication of our web users.

By default, it is my understanding that AD-LDS inherits its password policy from the domain of the machine it's installed on. Is there any way to break that link such that we can define a lighter password policy (or none if we so choose) for users in AD-LDS without affecting our domain?

Note: AD-LDS is going to be hosted on a machine which is part of the domain.

Thanks in advance.

Craig Beuker
  • 228
  • 2
  • 5

3 Answers3

4

I bumped into this (old) question while looking for something else, but I will add an answer for anyone that ends up here actually looking for an answer...

An option you can use (assuming you have a least a 2008 level AD domain) is to apply a password policy with your required "lighter" settings specifically against the server(s) you have hosting ADLDS. While 2003 and below had only domain-wide password policy settings, 2008 and up can support fine-grained password policies configured against certain areas of the domain.

Neobyte
  • 3,179
  • 1
  • 26
  • 31
0

You need not go right up to Optional Settings.
Going right up to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={guid} is enough.
The attribute ADAMDisablePasswordPolicies has to be set to 1.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Samurai Jack
  • 1
0

I'm not sure if this lets you still set up and enforce a lighter password policy, but you can ignore the domain password policies by using ADSI Edit to connect to the Configuration naming context on the LDAP server. Then , on the object CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={guid}, there's a multi-valued attribute called msDS-Other-Settings. One of the attributes in that is ADAMDisablePasswordPolicies, which you can set to 1.