Hello All
Due to recent SOX requirements we are require to have a different password
policy for all privilege accounts however our Win2003 forest consist of a
single domain . We would of like to implement the empty root design model in
this way all our privilege accounts would reside in the root domain and all
users accounts would reside in the child domain. However this design model
is not an option since we have currently have a flat single forest /single
domain and restructuring our forest to include an empty domain would be
impossible, or is it possible ? .
My question is how do I implement a different password policy for all my
privilege accounts ?
I had one idea but no sure if this would work. ..Create a non contiguous
domain tree and this domain will contain all my privilege accounts thus
using a different password policy. But I would also need these privilege
accounts to be domain admins of the entire forest , would this work ?

Any idea's would certainly be appreciated
TIA..
John

Creating a new domain tree in the forest should work. You're correct that
it's not really an empty root implementation, but it should work for what you
want to do. Create a new domain tree in the forest with the new password
policy. You can use the MoveTree utility
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394) to move the
privileged accounts from the current domain to the new one, or you can create
new privileged accounts in the new domain. (If you move the accounts from the
original domain, I believe the new password policy will not come into effect
untly the next time the password is reset). Either way, add the privileged
users to the Enterprise Administrators group in the forest root domain, and
they will have administrative privileges throughout the enterprise. You can
keep their non-privileged accounts in the original domain with the original
password policy - your administrators have non-privileged accounts for
everyday use, of course...right? :-)

Hope this helps.

Steve

"John" wrote:

> Hello All
> Due to recent SOX requirements we are require to have a different password
> policy for all privilege accounts however our Win2003 forest consist of a
> single domain . We would of like to implement the empty root design model in
> this way all our privilege accounts would reside in the root domain and all
> users accounts would reside in the child domain. However this design model
> is not an option since we have currently have a flat single forest /single
> domain and restructuring our forest to include an empty domain would be
> impossible, or is it possible ? .
> My question is how do I implement a different password policy for all my
> privilege accounts ?
> I had one idea but no sure if this would work. ..Create a non contiguous
> domain tree and this domain will contain all my privilege accounts thus
> using a different password policy. But I would also need these privilege
> accounts to be domain admins of the entire forest , would this work ?
>
> Any idea's would certainly be appreciated
> TIA..
> John
>
>
>
>
>
>

I belive that he needs to move all the accounts to the new created domain
and keep the privileged accounts in the existing domain (after all this is
the forest root domain that contains the Enterprise Admins group).

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

"steve_t" <stevet@discussions.microsoft.com> wrote in message
news:E69D3AFE-322C-42FB-8E4A-F72C8B608968@microsoft.com...
> Creating a new domain tree in the forest should work. You're correct that
> it's not really an empty root implementation, but it should work for what
> you
> want to do. Create a new domain tree in the forest with the new password
> policy. You can use the MoveTree utility
> (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394) to move
> the
> privileged accounts from the current domain to the new one, or you can
> create
> new privileged accounts in the new domain. (If you move the accounts from
> the
> original domain, I believe the new password policy will not come into
> effect
> untly the next time the password is reset). Either way, add the privileged
> users to the Enterprise Administrators group in the forest root domain,
> and
> they will have administrative privileges throughout the enterprise. You
> can
> keep their non-privileged accounts in the original domain with the
> original
> password policy - your administrators have non-privileged accounts for
> everyday use, of course...right? :-)
>
> Hope this helps.
>
> Steve
>
> "John" wrote:
>
>> Hello All
>> Due to recent SOX requirements we are require to have a different
>> password
>> policy for all privilege accounts however our Win2003 forest consist of a
>> single domain . We would of like to implement the empty root design model
>> in
>> this way all our privilege accounts would reside in the root domain and
>> all
>> users accounts would reside in the child domain. However this design
>> model
>> is not an option since we have currently have a flat single forest
>> /single
>> domain and restructuring our forest to include an empty domain would be
>> impossible, or is it possible ? .
>> My question is how do I implement a different password policy for all
>> my
>> privilege accounts ?
>> I had one idea but no sure if this would work. ..Create a non contiguous
>> domain tree and this domain will contain all my privilege accounts thus
>> using a different password policy. But I would also need these privilege
>> accounts to be domain admins of the entire forest , would this work ?
>>
>> Any idea's would certainly be appreciated
>> TIA..
>> John
>>
>>
>>
>>
>>
>>

I agree. I wasn't even thinking about the administrator account in the
current forest root. So a more thorough answer would be to create a new
domain tree or child domain, have the password policy for the new domain
match the existing domain, move all user accounts to the new domain, modify
the password policy on the forest root domain to meet the SOX requirements,
and force all administrative accounts to reset their passwords under the new
requirements. One issue you will continue to have is that the default admin
account on the new domain will only require a password that meets the less
strict requirements of that domain, but I'm not sure how to get around that.

Steve

"Andrei Ungureanu [MVP]" wrote:

> I belive that he needs to move all the accounts to the new created domain
> and keep the privileged accounts in the existing domain (after all this is
> the forest root domain that contains the Enterprise Admins group).
>
> --
> Regards,
> Andrei Ungureanu
> www.eventid.net
> Test our new EventReader!
> http://www.altairtech.ca/eventreader/default2.asp?ref=au
>
> "steve_t" <stevet@discussions.microsoft.com> wrote in message
> news:E69D3AFE-322C-42FB-8E4A-F72C8B608968@microsoft.com...
> > Creating a new domain tree in the forest should work. You're correct that
> > it's not really an empty root implementation, but it should work for what
> > you
> > want to do. Create a new domain tree in the forest with the new password
> > policy. You can use the MoveTree utility
> > (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394) to move
> > the
> > privileged accounts from the current domain to the new one, or you can
> > create
> > new privileged accounts in the new domain. (If you move the accounts from
> > the
> > original domain, I believe the new password policy will not come into
> > effect
> > untly the next time the password is reset). Either way, add the privileged
> > users to the Enterprise Administrators group in the forest root domain,
> > and
> > they will have administrative privileges throughout the enterprise. You
> > can
> > keep their non-privileged accounts in the original domain with the
> > original
> > password policy - your administrators have non-privileged accounts for
> > everyday use, of course...right? :-)
> >
> > Hope this helps.
> >
> > Steve
> >
> > "John" wrote:
> >
> >> Hello All
> >> Due to recent SOX requirements we are require to have a different
> >> password
> >> policy for all privilege accounts however our Win2003 forest consist of a
> >> single domain . We would of like to implement the empty root design model
> >> in
> >> this way all our privilege accounts would reside in the root domain and
> >> all
> >> users accounts would reside in the child domain. However this design
> >> model
> >> is not an option since we have currently have a flat single forest
> >> /single
> >> domain and restructuring our forest to include an empty domain would be
> >> impossible, or is it possible ? .
> >> My question is how do I implement a different password policy for all
> >> my
> >> privilege accounts ?
> >> I had one idea but no sure if this would work. ..Create a non contiguous
> >> domain tree and this domain will contain all my privilege accounts thus
> >> using a different password policy. But I would also need these privilege
> >> accounts to be domain admins of the entire forest , would this work ?
> >>
> >> Any idea's would certainly be appreciated
> >> TIA..
> >> John
> >>
> >>
> >>
> >>
> >>
> >>
>
>
>

yeap, now I agree :)

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

"steve_t" <stevet@discussions.microsoft.com> wrote in message
news:76AF7E01-230F-4509-B255-2F6EEA488C85@microsoft.com...
>I agree. I wasn't even thinking about the administrator account in the
> current forest root. So a more thorough answer would be to create a new
> domain tree or child domain, have the password policy for the new domain
> match the existing domain, move all user accounts to the new domain,
> modify
> the password policy on the forest root domain to meet the SOX
> requirements,
> and force all administrative accounts to reset their passwords under the
> new
> requirements. One issue you will continue to have is that the default
> admin
> account on the new domain will only require a password that meets the less
> strict requirements of that domain, but I'm not sure how to get around
> that.
>
> Steve
>
> "Andrei Ungureanu [MVP]" wrote:
>
>> I belive that he needs to move all the accounts to the new created domain
>> and keep the privileged accounts in the existing domain (after all this
>> is
>> the forest root domain that contains the Enterprise Admins group).
>>
>> --
>> Regards,
>> Andrei Ungureanu
>> www.eventid.net
>> Test our new EventReader!
>> http://www.altairtech.ca/eventreader/default2.asp?ref=au
>>
>> "steve_t" <stevet@discussions.microsoft.com> wrote in message
>> news:E69D3AFE-322C-42FB-8E4A-F72C8B608968@microsoft.com...
>> > Creating a new domain tree in the forest should work. You're correct
>> > that
>> > it's not really an empty root implementation, but it should work for
>> > what
>> > you
>> > want to do. Create a new domain tree in the forest with the new
>> > password
>> > policy. You can use the MoveTree utility
>> > (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394) to
>> > move
>> > the
>> > privileged accounts from the current domain to the new one, or you can
>> > create
>> > new privileged accounts in the new domain. (If you move the accounts
>> > from
>> > the
>> > original domain, I believe the new password policy will not come into
>> > effect
>> > untly the next time the password is reset). Either way, add the
>> > privileged
>> > users to the Enterprise Administrators group in the forest root domain,
>> > and
>> > they will have administrative privileges throughout the enterprise. You
>> > can
>> > keep their non-privileged accounts in the original domain with the
>> > original
>> > password policy - your administrators have non-privileged accounts for
>> > everyday use, of course...right? :-)
>> >
>> > Hope this helps.
>> >
>> > Steve
>> >
>> > "John" wrote:
>> >
>> >> Hello All
>> >> Due to recent SOX requirements we are require to have a different
>> >> password
>> >> policy for all privilege accounts however our Win2003 forest consist
>> >> of a
>> >> single domain . We would of like to implement the empty root design
>> >> model
>> >> in
>> >> this way all our privilege accounts would reside in the root domain
>> >> and
>> >> all
>> >> users accounts would reside in the child domain. However this design
>> >> model
>> >> is not an option since we have currently have a flat single forest
>> >> /single
>> >> domain and restructuring our forest to include an empty domain would
>> >> be
>> >> impossible, or is it possible ? .
>> >> My question is how do I implement a different password policy for all
>> >> my
>> >> privilege accounts ?
>> >> I had one idea but no sure if this would work. ..Create a non
>> >> contiguous
>> >> domain tree and this domain will contain all my privilege accounts
>> >> thus
>> >> using a different password policy. But I would also need these
>> >> privilege
>> >> accounts to be domain admins of the entire forest , would this work
>> >> ?
>> >>
>> >> Any idea's would certainly be appreciated
>> >> TIA..
>> >> John
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>>
>>
>>

Hi,

The easiest way of resolving your issue is to create a new domain.
Sounds easy right? But for people who do not have the resources or the
financial backing for new servers, and having to administer another
domain this can be cumbersome.
Have you looked at any third party software? There are a few products
out there that allow you to achieve exactly what you are trying to do
within the infrastructure you already have in place. No need of
additional DC's within a different domain.
Another option is that you can create your own password filter if you
have strong programming skills.

Password Filters
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp

Good luck

Harj Singh
Password Policy done right
www.specopssoft.com


Andrei Ungureanu [MVP] wrote:
> yeap, now I agree :)
>
> --
> Regards,
> Andrei Ungureanu
> www.eventid.net
> Test our new EventReader!
> http://www.altairtech.ca/eventreader/default2.asp?ref=au
>
> "steve_t" <stevet@discussions.microsoft.com> wrote in message
> news:76AF7E01-230F-4509-B255-2F6EEA488C85@microsoft.com...
> >I agree. I wasn't even thinking about the administrator account in the
> > current forest root. So a more thorough answer would be to create a new
> > domain tree or child domain, have the password policy for the new domain
> > match the existing domain, move all user accounts to the new domain,
> > modify
> > the password policy on the forest root domain to meet the SOX
> > requirements,
> > and force all administrative accounts to reset their passwords under the
> > new
> > requirements. One issue you will continue to have is that the default
> > admin
> > account on the new domain will only require a password that meets the less
> > strict requirements of that domain, but I'm not sure how to get around
> > that.
> >
> > Steve
> >
> > "Andrei Ungureanu [MVP]" wrote:
> >
> >> I belive that he needs to move all the accounts to the new created domain
> >> and keep the privileged accounts in the existing domain (after all this
> >> is
> >> the forest root domain that contains the Enterprise Admins group).
> >>
> >> --
> >> Regards,
> >> Andrei Ungureanu
> >> www.eventid.net
> >> Test our new EventReader!
> >> http://www.altairtech.ca/eventreader/default2.asp?ref=au
> >>
> >> "steve_t" <stevet@discussions.microsoft.com> wrote in message
> >> news:E69D3AFE-322C-42FB-8E4A-F72C8B608968@microsoft.com...
> >> > Creating a new domain tree in the forest should work. You're correct
> >> > that
> >> > it's not really an empty root implementation, but it should work for
> >> > what
> >> > you
> >> > want to do. Create a new domain tree in the forest with the new
> >> > password
> >> > policy. You can use the MoveTree utility
> >> > (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394) to
> >> > move
> >> > the
> >> > privileged accounts from the current domain to the new one, or you can
> >> > create
> >> > new privileged accounts in the new domain. (If you move the accounts
> >> > from
> >> > the
> >> > original domain, I believe the new password policy will not come into
> >> > effect
> >> > untly the next time the password is reset). Either way, add the
> >> > privileged
> >> > users to the Enterprise Administrators group in the forest root domain,
> >> > and
> >> > they will have administrative privileges throughout the enterprise. You
> >> > can
> >> > keep their non-privileged accounts in the original domain with the
> >> > original
> >> > password policy - your administrators have non-privileged accounts for
> >> > everyday use, of course...right? :-)
> >> >
> >> > Hope this helps.
> >> >
> >> > Steve
> >> >
> >> > "John" wrote:
> >> >
> >> >> Hello All
> >> >> Due to recent SOX requirements we are require to have a different
> >> >> password
> >> >> policy for all privilege accounts however our Win2003 forest consist
> >> >> of a
> >> >> single domain . We would of like to implement the empty root design
> >> >> model
> >> >> in
> >> >> this way all our privilege accounts would reside in the root domain
> >> >> and
> >> >> all
> >> >> users accounts would reside in the child domain. However this design
> >> >> model
> >> >> is not an option since we have currently have a flat single forest
> >> >> /single
> >> >> domain and restructuring our forest to include an empty domain would
> >> >> be
> >> >> impossible, or is it possible ? .
> >> >> My question is how do I implement a different password policy for all
> >> >> my
> >> >> privilege accounts ?
> >> >> I had one idea but no sure if this would work. ..Create a non
> >> >> contiguous
> >> >> domain tree and this domain will contain all my privilege accounts
> >> >> thus
> >> >> using a different password policy. But I would also need these
> >> >> privilege
> >> >> accounts to be domain admins of the entire forest , would this work
> >> >> ?
> >> >>
> >> >> Any idea's would certainly be appreciated
> >> >> TIA..
> >> >> John
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>

Hi,

I am curious to know if once a forest and a root domain is created, can
we create an empty root domain after the fact?

Harj Singh

Harj wrote:
> Hi,
>
> The easiest way of resolving your issue is to create a new domain.
> Sounds easy right? But for people who do not have the resources or the
> financial backing for new servers, and having to administer another
> domain this can be cumbersome.
> Have you looked at any third party software? There are a few products
> out there that allow you to achieve exactly what you are trying to do
> within the infrastructure you already have in place. No need of
> additional DC's within a different domain.
> Another option is that you can create your own password filter if you
> have strong programming skills.
>
> Password Filters
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp
>
> Good luck
>
> Harj Singh
> Password Policy done right
> www.specopssoft.com
>
>
> Andrei Ungureanu [MVP] wrote:
> > yeap, now I agree :)
> >
> > --
> > Regards,
> > Andrei Ungureanu
> > www.eventid.net
> > Test our new EventReader!
> > http://www.altairtech.ca/eventreader/default2.asp?ref=au
> >
> > "steve_t" <stevet@discussions.microsoft.com> wrote in message
> > news:76AF7E01-230F-4509-B255-2F6EEA488C85@microsoft.com...
> > >I agree. I wasn't even thinking about the administrator account in the
> > > current forest root. So a more thorough answer would be to create a new
> > > domain tree or child domain, have the password policy for the new domain
> > > match the existing domain, move all user accounts to the new domain,
> > > modify
> > > the password policy on the forest root domain to meet the SOX
> > > requirements,
> > > and force all administrative accounts to reset their passwords under the
> > > new
> > > requirements. One issue you will continue to have is that the default
> > > admin
> > > account on the new domain will only require a password that meets the less
> > > strict requirements of that domain, but I'm not sure how to get around
> > > that.
> > >
> > > Steve
> > >
> > > "Andrei Ungureanu [MVP]" wrote:
> > >
> > >> I belive that he needs to move all the accounts to the new created domain
> > >> and keep the privileged accounts in the existing domain (after all this
> > >> is
> > >> the forest root domain that contains the Enterprise Admins group).
> > >>
> > >> --
> > >> Regards,
> > >> Andrei Ungureanu
> > >> www.eventid.net
> > >> Test our new EventReader!
> > >> http://www.altairtech.ca/eventreader/default2.asp?ref=au
> > >>
> > >> "steve_t" <stevet@discussions.microsoft.com> wrote in message
> > >> news:E69D3AFE-322C-42FB-8E4A-F72C8B608968@microsoft.com...
> > >> > Creating a new domain tree in the forest should work. You're correct
> > >> > that
> > >> > it's not really an empty root implementation, but it should work for
> > >> > what
> > >> > you
> > >> > want to do. Create a new domain tree in the forest with the new
> > >> > password
> > >> > policy. You can use the MoveTree utility
> > >> > (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394) to
> > >> > move
> > >> > the
> > >> > privileged accounts from the current domain to the new one, or you can
> > >> > create
> > >> > new privileged accounts in the new domain. (If you move the accounts
> > >> > from
> > >> > the
> > >> > original domain, I believe the new password policy will not come into
> > >> > effect
> > >> > untly the next time the password is reset). Either way, add the
> > >> > privileged
> > >> > users to the Enterprise Administrators group in the forest root domain,
> > >> > and
> > >> > they will have administrative privileges throughout the enterprise. You
> > >> > can
> > >> > keep their non-privileged accounts in the original domain with the
> > >> > original
> > >> > password policy - your administrators have non-privileged accounts for
> > >> > everyday use, of course...right? :-)
> > >> >
> > >> > Hope this helps.
> > >> >
> > >> > Steve
> > >> >
> > >> > "John" wrote:
> > >> >
> > >> >> Hello All
> > >> >> Due to recent SOX requirements we are require to have a different
> > >> >> password
> > >> >> policy for all privilege accounts however our Win2003 forest consist
> > >> >> of a
> > >> >> single domain . We would of like to implement the empty root design
> > >> >> model
> > >> >> in
> > >> >> this way all our privilege accounts would reside in the root domain
> > >> >> and
> > >> >> all
> > >> >> users accounts would reside in the child domain. However this design
> > >> >> model
> > >> >> is not an option since we have currently have a flat single forest
> > >> >> /single
> > >> >> domain and restructuring our forest to include an empty domain would
> > >> >> be
> > >> >> impossible, or is it possible ? .
> > >> >> My question is how do I implement a different password policy for all
> > >> >> my
> > >> >> privilege accounts ?
> > >> >> I had one idea but no sure if this would work. ..Create a non
> > >> >> contiguous
> > >> >> domain tree and this domain will contain all my privilege accounts
> > >> >> thus
> > >> >> using a different password policy. But I would also need these
> > >> >> privilege
> > >> >> accounts to be domain admins of the entire forest , would this work
> > >> >> ?
> > >> >>
> > >> >> Any idea's would certainly be appreciated
> > >> >> TIA..
> > >> >> John
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >> >>
> > >>
> > >>
> > >>

Yes. By migrating everything to a new domain and keeping the existing one
empty. :-)

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

"Harj" <cisqokid@gmail.com> wrote in message
news:1159885926.621984.148570@i42g2000cwa.googlegroups.com...
> Hi,
>
> I am curious to know if once a forest and a root domain is created, can
> we create an empty root domain after the fact?
>
> Harj Singh
>
> Harj wrote:
>> Hi,
>>
>> The easiest way of resolving your issue is to create a new domain.
>> Sounds easy right? But for people who do not have the resources or the
>> financial backing for new servers, and having to administer another
>> domain this can be cumbersome.
>> Have you looked at any third party software? There are a few products
>> out there that allow you to achieve exactly what you are trying to do
>> within the infrastructure you already have in place. No need of
>> additional DC's within a different domain.
>> Another option is that you can create your own password filter if you
>> have strong programming skills.
>>
>> Password Filters
>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmgmt/security/password_filters.asp
>>
>> Good luck
>>
>> Harj Singh
>> Password Policy done right
>> www.specopssoft.com
>>
>>
>> Andrei Ungureanu [MVP] wrote:
>> > yeap, now I agree :)
>> >
>> > --
>> > Regards,
>> > Andrei Ungureanu
>> > www.eventid.net
>> > Test our new EventReader!
>> > http://www.altairtech.ca/eventreader/default2.asp?ref=au
>> >
>> > "steve_t" <stevet@discussions.microsoft.com> wrote in message
>> > news:76AF7E01-230F-4509-B255-2F6EEA488C85@microsoft.com...
>> > >I agree. I wasn't even thinking about the administrator account in the
>> > > current forest root. So a more thorough answer would be to create a
>> > > new
>> > > domain tree or child domain, have the password policy for the new
>> > > domain
>> > > match the existing domain, move all user accounts to the new domain,
>> > > modify
>> > > the password policy on the forest root domain to meet the SOX
>> > > requirements,
>> > > and force all administrative accounts to reset their passwords under
>> > > the
>> > > new
>> > > requirements. One issue you will continue to have is that the default
>> > > admin
>> > > account on the new domain will only require a password that meets the
>> > > less
>> > > strict requirements of that domain, but I'm not sure how to get
>> > > around
>> > > that.
>> > >
>> > > Steve
>> > >
>> > > "Andrei Ungureanu [MVP]" wrote:
>> > >
>> > >> I belive that he needs to move all the accounts to the new created
>> > >> domain
>> > >> and keep the privileged accounts in the existing domain (after all
>> > >> this
>> > >> is
>> > >> the forest root domain that contains the Enterprise Admins group).
>> > >>
>> > >> --
>> > >> Regards,
>> > >> Andrei Ungureanu
>> > >> www.eventid.net
>> > >> Test our new EventReader!
>> > >> http://www.altairtech.ca/eventreader/default2.asp?ref=au
>> > >>
>> > >> "steve_t" <stevet@discussions.microsoft.com> wrote in message
>> > >> news:E69D3AFE-322C-42FB-8E4A-F72C8B608968@microsoft.com...
>> > >> > Creating a new domain tree in the forest should work. You're
>> > >> > correct
>> > >> > that
>> > >> > it's not really an empty root implementation, but it should work
>> > >> > for
>> > >> > what
>> > >> > you
>> > >> > want to do. Create a new domain tree in the forest with the new
>> > >> > password
>> > >> > policy. You can use the MoveTree utility
>> > >> > (http://support.microsoft.com/default.aspx?scid=kb;EN-US;q238394)
>> > >> > to
>> > >> > move
>> > >> > the
>> > >> > privileged accounts from the current domain to the new one, or you
>> > >> > can
>> > >> > create
>> > >> > new privileged accounts in the new domain. (If you move the
>> > >> > accounts
>> > >> > from
>> > >> > the
>> > >> > original domain, I believe the new password policy will not come
>> > >> > into
>> > >> > effect
>> > >> > untly the next time the password is reset). Either way, add the
>> > >> > privileged
>> > >> > users to the Enterprise Administrators group in the forest root
>> > >> > domain,
>> > >> > and
>> > >> > they will have administrative privileges throughout the
>> > >> > enterprise. You
>> > >> > can
>> > >> > keep their non-privileged accounts in the original domain with the
>> > >> > original
>> > >> > password policy - your administrators have non-privileged accounts
>> > >> > for
>> > >> > everyday use, of course...right? :-)
>> > >> >
>> > >> > Hope this helps.
>> > >> >
>> > >> > Steve
>> > >> >
>> > >> > "John" wrote:
>> > >> >
>> > >> >> Hello All
>> > >> >> Due to recent SOX requirements we are require to have a different
>> > >> >> password
>> > >> >> policy for all privilege accounts however our Win2003 forest
>> > >> >> consist
>> > >> >> of a
>> > >> >> single domain . We would of like to implement the empty root
>> > >> >> design
>> > >> >> model
>> > >> >> in
>> > >> >> this way all our privilege accounts would reside in the root
>> > >> >> domain
>> > >> >> and
>> > >> >> all
>> > >> >> users accounts would reside in the child domain. However this
>> > >> >> design
>> > >> >> model
>> > >> >> is not an option since we have currently have a flat single
>> > >> >> forest
>> > >> >> /single
>> > >> >> domain and restructuring our forest to include an empty domain
>> > >> >> would
>> > >> >> be
>> > >> >> impossible, or is it possible ? .
>> > >> >> My question is how do I implement a different password policy
>> > >> >> for all
>> > >> >> my
>> > >> >> privilege accounts ?
>> > >> >> I had one idea but no sure if this would work. ..Create a non
>> > >> >> contiguous
>> > >> >> domain tree and this domain will contain all my privilege
>> > >> >> accounts
>> > >> >> thus
>> > >> >> using a different password policy. But I would also need these
>> > >> >> privilege
>> > >> >> accounts to be domain admins of the entire forest , would this
>> > >> >> work
>> > >> >> ?
>> > >> >>
>> > >> >> Any idea's would certainly be appreciated
>> > >> >> TIA..
>> > >> >> John
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >> >>
>> > >>
>> > >>
>> > >>
>