?
Solved

Nested GPO Question

Posted on 2004-11-10
10
Medium Priority
?
332 Views
Last Modified: 2010-04-14
I'm trying to have different password policies for different groups of users (actually not different, but some groups have their passwords expire after x days and some do not)  My default domain GPO does not have this configured.  If i put this policy in a downlevel OU it isn't working.  What concerns me is why is this policy a "computer policy" in the first place since i want it to be specific to users, not computers.  Anyway,,, can this be done and if so how.

Thanks,
0
Comment
Question by:mikeleebrla
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 14

Accepted Solution

by:
alimu earned 1200 total points
ID: 12552857
password policies are per domain.  To have different password policy for a set of users you need to have separate domain for them (or use a 3rd party tool)
hope this helps,

AJ.
0
 
LVL 14

Expert Comment

by:alimu
ID: 12552917
further to your original question,

password policy is part of account policy.  Account policies are computer based policies.
i.e. all users on this pc/in this ou/in this domain are going to have this set of account standards.  
They are an adjustment of security settings that apply to a system.  All users then accessing that system are subject to the rules it is bound by. (if it makes it any easier, the SAM and it's configuration relates to a computer object, not a user).

User policies tend to be more application specific.
0
 
LVL 20

Assisted Solution

by:Debsyl99
Debsyl99 earned 800 total points
ID: 12553067
Hi Mike,
It's a real pain but alimu's right - you can't do it (but you CAN in 2003 server - Microsoft obviously decided to address it), See Pete Long's answer here,
http://www.experts-exchange.com/Security/Win_Security/Q_20843559.html

Only way you can do it is to upgrade to 2003 or establish a separate domain,

Deb :))
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
LVL 71

Expert Comment

by:Chris Dent
ID: 12553135

Alimu is almost there.

The password policy set is based on the Computer Account Object. To have different password policies for different groups of people you would have to apply it to the computers they use.

Ideally, this can be achieved by splitting the computers into different OUs (normally in line with how the users are split), this is the approach I favour and it makes it much easier to see what is being applied where.

While that is the neatest and probably most visually useful option it isn't the only one.

You could also apply a number of policies at the root of and set the permissions so that only certain groups can run them. This would also let you apply differing security policies to different groups, but it isn't as easy to see what is being applied where.

If you have a Windows XP PC (or a Windows 2003 Server) to work on I highly recommend picking up the Group Policy Management Console - it will give you a much nicer view of the policies than trying to find them in AD Users and Computers.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12553154

Ahh sorry I've been working with 2003 domains too long. Alimu and Deb are absolutely right.
0
 
LVL 14

Expert Comment

by:alimu
ID: 12553285
Account Policies (i.e. the following) are per-domain by design:
Password Policy
Account Lockout Policy
Kerberos Policy.

Please don't try denying and/or blocking inheritance for your domain password policy.  These settings affect how objects in your domain communicate with the domain controllers.  Password changes occur on your domain controllers.  Kerberos sessions are established through your domain controllers, Account lockouts occur on your domain controllers. These are some of the reasons why this is set at the domain level, not further down the AD tree.  They affect how your domain controllers treat Password format, Account lockout settings and kerberos across the domain.  
Your domain controllers need to be satisfied with the format you're sending stuff through in.  Your domain controllers are not part of your local OU and don't care how you have the password policy configured there.  What would be the point of trying to set something at this level where it would only have the potential to trash user (or computer account) access to the domain.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12553336

Alimu is correct and my earlier comment should be ignored unless you have a Windows 2003 Domain - at which point the password policies become a lot more flexible.
0
 
LVL 25

Author Comment

by:mikeleebrla
ID: 12554727
Thanks alot for everyone's input,,, unfortunately that the correct answer is what i was affraid of  and that password policies are per domain in 2000. But this does give me a great way to sell upgrading to 2003 to the powers that be in my organization.  I'll award points shortly.
0
 
LVL 25

Author Comment

by:mikeleebrla
ID: 12568015
I know this question is closed but one important thing was left out i believe...  if i do move my domain from 2000 to 2003, can i have multiple password policies if my 2003 domain is at the 2000 functional level, or is this only available if i move my domain to the 2003 functional level.  See below:

http://www.computerperformance.co.uk/w2k3/w2k3_mixedvnative.htm
0
 
LVL 14

Expert Comment

by:alimu
ID: 12580789
2003-only functionality is only available if you are running in native mode (i.e. 2003 native).  2000 functional level means that only features available up to and including 2000 are available.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Sometimes MS breaks things just for fun... In Access 2003, only the maximum allowable SQL string length could cause problems as you built a recordset. Now, when using string data in a WHERE clause, the 'identifier' maximum is 128 characters. So, …
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question