Dynamics 365 F&O/AX Dynamics 365 CE / CRM Dynamics GP Business Central / NAV UG Dynamics SL Power Platform Fabric UG MS Copilot UG

[David Morinello]

A quick question I hope.

In order to “Activate” the Advanced SQL Server options for Enforce Password Policy & Enforce Password Expiration,
where does the GPO need to be turned on?

1. At the location of the GP Client(s) ?
2. On the SQL Server where the GP data is stored?
3. Citrix Server, serving out GP Clients?

——————————
David Morinello
Senior Dynamics GP Systems Architect
Ascend Learning, LLC
Leawood KS
——————————

[Thaddeus Suter]

Those two settings on the GP user setup access your AD domain user Group Policy (GPO) settings. The password policy of the domain user accounts is configured in the Default Domain Policy under Group Policy Management    (gpmc.msc)

——————————
Thaddeus Suter
Retus, Inc
HELOTES TX
——————————
——————————————-

[David Morinello]

Hi Thaddeus!

I can see where on the local server where these would be set via GPO. 

But which server location, the (GP) SQL Server or the GP Client(Citrix or laptop)?

I need be specific for my network people.

——————————
David Morinello
Senior Dynamics GP Systems Architect
Ascend Learning, LLC
Leawood KS
——————————
——————————————-

[Thaddeus Suter]

The GPO is set in the AD environment for the Domain. Not in Local Group Policy on a specific device. Active Directory-based GPOs have precedence. Local Group Policy never takes precedence over AD GPOs and should be avoided.

edit: If you are asking where AD is ,it is stored on your Domain Controller.
——————————
Thaddeus Suter
Retus, Inc
HELOTES TX
——————————
——————————————-

[David Morinello]

OK, but can that target a specific environment, group of servers? 

I wish to test in our DEV environment first, then QA, STG, then Prod. Not turn it on for the Domain and have these setting active on all server environments at once. Can I request setting the “AD environment for the Domain” to target all DEV environment GP related servers? Or is Local Policy the method to target one set only?

Sorry for the drill-down into the weeds, but this is one I have never been able to play with here and is handled by another IT group internally. I don’t know how our Domain is configured now, just that the GP Advanced SQL Server options settings are not actively enforced in GP now.

I saw your edit, but what I need is a way to target a specific environment, i.e. group of servers, which is why I was looking at Local Security Policies.

——————————
David Morinello
Senior Dynamics GP Systems Architect
Ascend Learning, LLC
Leawood KS
——————————
——————————————-

[Thaddeus Suter]

So these settings on the GP User Setup are to synchronize the password policies already in place for your Domain users to their GP credentials. I.e., force a change in password through expiration every 30 days etc.

If you do not have an AD Domain password policy GPO for your Domain users (their network credentials) then marking these boxes in GP will do nothing.
First you create a Domain GPO policy for your network users in the AD environment. 
Then that Domain policy is applied to your GP user credentials by check marking the boxes for GP users you want to apply the policy. There is really nothing to test.

It sounds like you do not have a Domain GPO password policy but you want to create one for GP users independent of the Domain GPO policy. I don’t know how to advise on that. Normally you want network (Domain) level authentication policies first for security then in some circumstances you might want to also apply those GPO policies to user GP credentials. GP does not have a core feature to make its own password policies.

Possibly another user will see this and have some ideas on solutions but I would definitely consider implementing Domain level password policy GPO if one does not exist.  A lot of risk in not using that AD feature set. Then it is a bit optional whether you apply that policy to GP users credentials.

——————————
Thaddeus Suter
Retus, Inc
HELOTES TX
——————————
——————————————-

[Thaddeus Suter]

This could be what you are looking for.
The article details how in Windows Server 2016 or later you can create multiple AD Security Groups and then apply different Password GPOs to each.
The article talks about a Domain Admin group but you might have a GP User Group and an Other Group(s).
Each would have differing Domain level password policies.
I’m not necessarily recommending this. I just saw the article.

Terminalworks Blog | Multiple Password Policies for Domain Users

——————————
Thaddeus Suter
Retus, Inc
HELOTES TX
——————————
——————————————-