Link to home
Start Free TrialLog in
Avatar of klause2
klause2

asked on

Password Policies on OU's

Can you set a password policy on an OU or only on the Domain level in Active Directory.
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
klause2,
if your usung server 2003 you can apply password policies to each OU

Open Microsoft Management Console (MMC).
On the File menu, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
In Select Group Policy Object, click Browse.
In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit--or create a new one, click OK, and then click Finish.
Click Close, and then click OK.
In the console tree, click Password Policy.
Where?

Group Policy Object [computer name] Policy
Computer Configuration
Windows Settings
Security Settings
Account Policies
Password Policy
In the details pane, right-click the policy setting that you want, and then click Properties.
If you are defining this policy setting for the first time, select the Define this policy setting check box.
Select the options that you want, and then click OK.

PL
klause2,
See
"By default, Account Policies (Password, Lockout, and Kerberos settings) are all defined in the Default Domain GPO. Since Domain Controllers are responsible for enforcing these domain-wide policies, Domain Controllers always receive these settings from the Default Domain GPO. Furthermore, since Password and Lockout Policies are defined in the Default Domain GPO, all Windows 2000 machines in that domain obtain the same password and lockout policies for their local Security Accounts Manager (SAM) database even though they have their own default local account policies defined. This happens because domain-level policies have precedence over local policies. Note that it is possible to specify a different local password policy on workstations or servers by including those workstations or servers in an OU which has its own account policy settings. This is because an OU policy has precedence over a domain policy."

From http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/615.asp for further clarification
PL
ThanQ
Avatar of havilandp
havilandp

Does this password policy from the OU only effect the local administrator of the server only or could it effect an administrator account in the domain?