Link to home
Start Free TrialLog in
Avatar of irschlage
irschlage

asked on

Block Inheritance not working on Sub OU's

Hi Everyone:
I was hoping you could point me in the right direction.

We have a location which is trying to migrate a business process to our Active Directory servers. It must have a specific user (for testing ASYSCON) and the non-standard password of Enterprise, which we can't change without consultants coming in and $$$. Everything is working correctly except the password violates our new password standard for the domain - ours requires the password to be at least eight characters long, must have both an upper case and lower case letter or a special character (!@#$%^&*) and must meet complexity requirements is enabled.

Attempt 1: Created Sub-OU and put ASYSCON into it, and blocked inheritance
Attempt 2: Created new password policy on Sub-OU and set No Overide
Attempt 3: Went to the Domain Password Policy and created an explicite deny for Asyscon

I also created a group called 'SSS Password Waiver Group' and put ASYSCON into it, also Denying the policy and removing the READ attribute.

We have waited overnight for these policies to replicate to all the DCs.  This morning I logged in as ASYSCON and ran GPRESULTS.EXE.  Attached is the results still showing the policy being pushed down.

Your thoughts would be appreciated. The process is running on a failing Novell server which we need to move to AD.  Also we have other locations which need these exemptions for business processes.
ASKER CERTIFIED SOLUTION
Avatar of Justin C
Justin C
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of adonis1976
adonis1976

Password policies cannot be set on the OUs, once a enterprise level policy is define, it automatically propagates to the rest of the OUs no matter what you have in the sub OUs. OU pw policy cannot override enterprise level pw policy even if you have set it not to inherit.
sorry bloodred, i didnt mean to replicate u. the window was open and i didnt know u had posted.
You guys are fast! 8-)
The only way to do this would be to create a seperate domain, move the account and resources to that domain, create and apply a new password policy at the new domain level.

Unless they have set themsleves as the only Domain admin (not likely, but still...) you can just change it to a different password, and then send the information to the company, along with an explanation of what was done and why.