Ask the Expert

Can we have more than one password policy?

We have certain high-risk areas in our organization that would like to have their passwords expire at a more rapid rate than the rest of the organization (30 days vs. 90 days). My research has yielded some conflicting results, but I think that this cannot be accomplished easily (or at all) within a domain. Is there a straightforward way to accomplish this? Thanks.
As you have discovered, there can only be one password policy for a domain. Whatever you set for the password expiration will be in effect for all users, with the exception that you can set an account to not expire at all. There are two possible solutions to this problem.

First, you could create a separate domain for the high-risk areas, which would have other advantages as well, as they could manage other differences (length of password, history, account lockout, etc.). Second, while there is only one enforceable password expiration policy per domain, there is no reason they cannot procedurally insist on their group passwords being changed at whatever schedule. They also could write scripts to check on this and possible e-mail users who failed to follow the policy, or make some other change that would be effective in enforcing the policy. Of course, they might also write custom software to enforce more frequent password changing.

This was first published in April 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: