SOX compliant .. different password policy need for privilege accounts

Discussion in 'Active Directory' started by John, Sep 29, 2006.

  1. John

    John Guest

    Hello All
    Due to recent SOX requirements we are require to have a different password
    policy for all privilege accounts however our Win2003 forest consist of a
    single domain . We would of like to implement the empty root design model in
    this way all our privilege accounts would reside in the root domain and all
    users accounts would reside in the child domain. However this design model
    is not an option since we have currently have a flat single forest /single
    domain and restructuring our forest to include an empty domain would be
    impossible, or is it possible ? .
    My question is how do I implement a different password policy for all my
    privilege accounts ?
    I had one idea but no sure if this would work. ..Create a non contiguous
    domain tree and this domain will contain all my privilege accounts thus
    using a different password policy. But I would also need these privilege
    accounts to be domain admins of the entire forest , would this work ?

    Any idea's would certainly be appreciated
    TIA..
    John
     
    John, Sep 29, 2006
    #1
    1. Advertisements

  2. John

    John Guest

    Thanks for the info but I was looking for a solution without using any thrid
    party tools..
     
    John, Sep 29, 2006
    #2
    1. Advertisements

  3. John

    Joe Kaplan Guest

    My instinct is that the third party tool will be a better solution for you
    than trying to set up a whole other domain just to accomodate this. That
    will have a bunch of downsides and might not cost you less money. It is
    really worth considering.

    Another option might be to try to enforce this by "auditing" the passwords
    of your privileged accounts with one of those so called password "auditing"
    tools (which are really just AD password crackers) to ensure that these
    accounts are compliant.

    Don't consider writing your own password filter unless you have wicked sharp
    Win32 C++ skills, as a bad password filter can compromise your whole DC (and
    it get installed on every DC in the domain).

    I have to say that all the SOX stuff is very amusing. I often wonder how we
    can all apply the same law and get such different implementation level
    requirements at different organizations. For example, my company also needs
    to be SOX compliant, but we don't attempt to do this. I wonder how that
    happens? :)

    Joe K.
     
    Joe Kaplan, Sep 29, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.