When posed with the question of “How do I exclude users from my domain-password policy, and can I exclude those same users from domain-policy read-and-apply permissions?” John Savill responded with the following answer:
No, the domain controllers (DCs) enforce the password-complexity requirements, so blocking certain users from read-and-apply permissions won’t exclude them from the password policy. When you change your password, it’s sent by secure session to the DC. The DC gets the unhashed and unencrypted password, and checks for rules to apply.
This process is different from typical logon-password handling, in which users’ passwords are hashed by means of a one-way algorithm at the workstation and sent to the DC. Users could set their passwords before introducing the password policy; then, you could make the passwords never expire. Doing so would mean that users would use simple passwords, but then they could never change their passwords, which isn’t a good idea
To configure different password policies for different users, you have three options:
nFront Security specializes in innovative software solutions for network security. The company's prominent program, nFront Password Filter, protects data integrity by establishing password policies that prevent the use of easily hacked passwords. This enforcement tool is available for Windows Active Directory and Microsoft SQL servers. Companies in more than 20 countries and numerous Fortune 100 companies use nFront Password Filter to meet SOX, HIPAA and PCI requirements. For more information, visit www.nfrontsecurity.com or call (404)348-4678.
(404) 348-4678 ex. 709
matt.pr [at] nFrontSecurity.com