Link to home
Start Free TrialLog in
Avatar of mikeleebrla
mikeleebrlaFlag for United States of America

asked on

Nested GPO Question

I'm trying to have different password policies for different groups of users (actually not different, but some groups have their passwords expire after x days and some do not)  My default domain GPO does not have this configured.  If i put this policy in a downlevel OU it isn't working.  What concerns me is why is this policy a "computer policy" in the first place since i want it to be specific to users, not computers.  Anyway,,, can this be done and if so how.

Thanks,
ASKER CERTIFIED SOLUTION
Avatar of alimu
alimu
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
further to your original question,

password policy is part of account policy.  Account policies are computer based policies.
i.e. all users on this pc/in this ou/in this domain are going to have this set of account standards.  
They are an adjustment of security settings that apply to a system.  All users then accessing that system are subject to the rules it is bound by. (if it makes it any easier, the SAM and it's configuration relates to a computer object, not a user).

User policies tend to be more application specific.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Alimu is almost there.

The password policy set is based on the Computer Account Object. To have different password policies for different groups of people you would have to apply it to the computers they use.

Ideally, this can be achieved by splitting the computers into different OUs (normally in line with how the users are split), this is the approach I favour and it makes it much easier to see what is being applied where.

While that is the neatest and probably most visually useful option it isn't the only one.

You could also apply a number of policies at the root of and set the permissions so that only certain groups can run them. This would also let you apply differing security policies to different groups, but it isn't as easy to see what is being applied where.

If you have a Windows XP PC (or a Windows 2003 Server) to work on I highly recommend picking up the Group Policy Management Console - it will give you a much nicer view of the policies than trying to find them in AD Users and Computers.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Ahh sorry I've been working with 2003 domains too long. Alimu and Deb are absolutely right.
Account Policies (i.e. the following) are per-domain by design:
Password Policy
Account Lockout Policy
Kerberos Policy.

Please don't try denying and/or blocking inheritance for your domain password policy.  These settings affect how objects in your domain communicate with the domain controllers.  Password changes occur on your domain controllers.  Kerberos sessions are established through your domain controllers, Account lockouts occur on your domain controllers. These are some of the reasons why this is set at the domain level, not further down the AD tree.  They affect how your domain controllers treat Password format, Account lockout settings and kerberos across the domain.  
Your domain controllers need to be satisfied with the format you're sending stuff through in.  Your domain controllers are not part of your local OU and don't care how you have the password policy configured there.  What would be the point of trying to set something at this level where it would only have the potential to trash user (or computer account) access to the domain.

Alimu is correct and my earlier comment should be ignored unless you have a Windows 2003 Domain - at which point the password policies become a lot more flexible.
Avatar of mikeleebrla

ASKER

Thanks alot for everyone's input,,, unfortunately that the correct answer is what i was affraid of  and that password policies are per domain in 2000. But this does give me a great way to sell upgrading to 2003 to the powers that be in my organization.  I'll award points shortly.
I know this question is closed but one important thing was left out i believe...  if i do move my domain from 2000 to 2003, can i have multiple password policies if my 2003 domain is at the 2000 functional level, or is this only available if i move my domain to the 2003 functional level.  See below:

http://www.computerperformance.co.uk/w2k3/w2k3_mixedvnative.htm
2003-only functionality is only available if you are running in native mode (i.e. 2003 native).  2000 functional level means that only features available up to and including 2000 are available.