Domain and Local Policies
Netwrix Password Policy Enforcer enforces password policies for both domain and local user accounts.
Domain user accounts exist in Active Directory. The domain controllers store information about these accounts and replicate changes among themselves.
Local user accounts exist in the SAM database of workstations and servers. The workstations and servers may be standalone, or domain members. The host computer stores information about these accounts locally and doesn't replicate it to any other computers.
A typical Windows network has both domain and local user accounts, but you may not want to enforce Password Policy Enforcer password policies for both account types. If your users normally log on with a domain account, then you will most likely only use Password Policy Enforcer to enforce password policies for the domain accounts.
Installation Differences
To enforce password policies for domain user accounts, you should install Password Policy Enforcer onto all the domain controllers in the domain. If you have read-only domain controllers and aren't using the Rules, Password Policy Client, or other software (such as Netwrix Password Reset) that uses the Password Policy Enforcer Client protocol, then you don't need to install Password Policy Enforcer on the read-only domain controllers.
To enforce password policies for local user accounts, you should install Password Policy Enforcer onto the computers containing the user accounts you want to enforce password policies for. These computers may be workstations or servers, and they may be standalone or domain members. You don't normally need to install Password Policy Enforcer onto all the workstations and servers in a domain, because most domain users log on with a domain account. If this is the case, you will most likely only need to install Password Policy Enforcer on the domain controllers.
Operational Differences
Most of Password Policy Enforcer's rules and features work with both domain and local policies, but there are some differences. When enforcing the password policy for domain accounts, Password Policy Enforcer queries Active Directory to get information about the accounts.
Although getting most of this information from the SAM database for local accounts is theoretically possible, a technical limitation prevents password filters from querying the SAM. Some information, such as the user's OU, also doesn't exist in the SAM. Because of these limitations, you can't use the following rules and features with local password policies:
- The Minimum Age and Maximum Age rules (you can use the Windows version of these rules with Password Policy Enforcer). See the Rules topic for additional information.
- Policy assignments by groups and containers. See the Assign Policies to Users & Groups topic for additional information.
Password Policy Enforcer stores its configuration in Active Directory for domain password policies, and in the Windows registry for local password policies. The Connect To page in the Password Policy Enforcer Configuration Console. Use it to choose a configuration source. See the Connected To topic for additional information. Changes to Password Policy Enforcer's domain configuration replicate to all domain controllers in the domain. Changes to a local configuration apply only to the local computer. If you want to use the same local configuration for many computers, export the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 10.0\ registry key from the configured computer, and import it into the other computers.
You can also use Group Policy to distribute Password Policy Enforcer's local configuration to many computers in a domain. This is only necessary for local password policies. Domain password policies automatically replicate to the domain controllers because they are stored in Active Directory.
Distribute the local configuration with Group Policy
Step 1 – Start the Group Policy Management Console (gpmc.msc).
Step 2 – Expand the forest and domain items in the left pane.
Step 3 – Right-click the Group Policy object that you would like to use to distribute the configuration, and then click the Edit... button.
Step 4 – Expand the Computer Configuration, Preferences, and Windows Settings items in the left pane.
Step 5 – Right-click the Registry item, and then select New > Registry Wizard.
Step 6 – Select the computer that contains the Password Policy Enforcer local configuration that you want to distribute, and then click Next.
Step 7 – Expand the HKEY_LOCAL_MACHINE, SOFTWARE, and ANIXIS items.
Step 8 – Click the Password Policy Enforcer version item, and then select the check boxes beside each item in the bottom pane of the window.
Step 9 – Click Finish.
Step 10 – Close the Group Policy Management Editor.
Windows applies Password Policy Enforcer's local configuration to the target computers in the domain.
This doesn't happen immediately, as Windows takes some time to apply the changes to Group Policy.
You can force an immediate refresh of Group Policy on the local computer with this command:
gpupdate /target:computer