On a Windows Server 2003-based domain controller, if the "Smart card is required for interactive logon" policy setting is enabled, the domain controller generates a random password for the user. However, Windows 2000 does not include the functionality to generate a random password. For example, suppose the following conditions are true:
- You maintain a user object in an environment that contains both Windows 2000-based computers and Windows Server 2003-based computers.
- In this environment, Active Directory Users and Computers is connected to a Windows 2000-based domain controller.
In this scenario, the domain controller does not generate a random password. Therefore, passwords are not maintained.
To make sure that passwords are set to random values in a mixed environment, connect to a Windows Server 2003-based domain controller. Then, make sure that the "Smart card is required for interactive logon" policy setting is enabled. To enable this policy setting, follow these steps:
- Click Start, click Run, type gpedit.msc, and then click OK.
- Click the appropriate policy object, expand Computer Configuration,
expand Windows Settings, and then expand Security Settings.
- Expand Local Policies, and then click Security Options.
- In the right pane, double-click Interactive logon: Require smart
card.
- Click Enabled, and then click OK.
For additional information about the "Interactive logon: Require smart card" security option, visit the following Microsoft Web site:
For additional information about smart cards and passwords on a Windows Server 2003 domain controller, visit the following Microsoft Web site: