klause2
asked on
Password Policies on OU's
Can you set a password policy on an OU or only on the Domain level in Active Directory.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
klause2,
See
"By default, Account Policies (Password, Lockout, and Kerberos settings) are all defined in the Default Domain GPO. Since Domain Controllers are responsible for enforcing these domain-wide policies, Domain Controllers always receive these settings from the Default Domain GPO. Furthermore, since Password and Lockout Policies are defined in the Default Domain GPO, all Windows 2000 machines in that domain obtain the same password and lockout policies for their local Security Accounts Manager (SAM) database even though they have their own default local account policies defined. This happens because domain-level policies have precedence over local policies. Note that it is possible to specify a different local password policy on workstations or servers by including those workstations or servers in an OU which has its own account policy settings. This is because an OU policy has precedence over a domain policy."
From http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/615.asp for further clarification
PL
See
"By default, Account Policies (Password, Lockout, and Kerberos settings) are all defined in the Default Domain GPO. Since Domain Controllers are responsible for enforcing these domain-wide policies, Domain Controllers always receive these settings from the Default Domain GPO. Furthermore, since Password and Lockout Policies are defined in the Default Domain GPO, all Windows 2000 machines in that domain obtain the same password and lockout policies for their local Security Accounts Manager (SAM) database even though they have their own default local account policies defined. This happens because domain-level policies have precedence over local policies. Note that it is possible to specify a different local password policy on workstations or servers by including those workstations or servers in an OU which has its own account policy settings. This is because an OU policy has precedence over a domain policy."
From http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/615.asp for further clarification
PL
ThanQ
Does this password policy from the OU only effect the local administrator of the server only or could it effect an administrator account in the domain?
if your usung server 2003 you can apply password policies to each OU
Open Microsoft Management Console (MMC).
On the File menu, click Add/Remove Snap-in, and then click Add.
Click Group Policy Object Editor, and then click Add.
In Select Group Policy Object, click Browse.
In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit--or create a new one, click OK, and then click Finish.
Click Close, and then click OK.
In the console tree, click Password Policy.
Where?
Group Policy Object [computer name] Policy
Computer Configuration
Windows Settings
Security Settings
Account Policies
Password Policy
In the details pane, right-click the policy setting that you want, and then click Properties.
If you are defining this policy setting for the first time, select the Define this policy setting check box.
Select the options that you want, and then click OK.
PL