Nested GPO Question

I'm trying to have different password policies for different groups of users (actually not different, but some groups have their passwords expire after x days and some do not)  My default domain GPO does not have this configured.  If i put this policy in a downlevel OU it isn't working.  What concerns me is why is this policy a "computer policy" in the first place since i want it to be specific to users, not computers.  Anyway,,, can this be done and if so how.

LVL 25
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

password policies are per domain.  To have different password policy for a set of users you need to have separate domain for them (or use a 3rd party tool)
hope this helps,


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
further to your original question,

password policy is part of account policy.  Account policies are computer based policies.
i.e. all users on this pc/in this ou/in this domain are going to have this set of account standards.  
They are an adjustment of security settings that apply to a system.  All users then accessing that system are subject to the rules it is bound by. (if it makes it any easier, the SAM and it's configuration relates to a computer object, not a user).

User policies tend to be more application specific.
Hi Mike,
It's a real pain but alimu's right - you can't do it (but you CAN in 2003 server - Microsoft obviously decided to address it), See Pete Long's answer here,

Only way you can do it is to upgrade to 2003 or establish a separate domain,

Deb :))
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Chris DentPowerShell DeveloperCommented:

Alimu is almost there.

The password policy set is based on the Computer Account Object. To have different password policies for different groups of people you would have to apply it to the computers they use.

Ideally, this can be achieved by splitting the computers into different OUs (normally in line with how the users are split), this is the approach I favour and it makes it much easier to see what is being applied where.

While that is the neatest and probably most visually useful option it isn't the only one.

You could also apply a number of policies at the root of and set the permissions so that only certain groups can run them. This would also let you apply differing security policies to different groups, but it isn't as easy to see what is being applied where.

If you have a Windows XP PC (or a Windows 2003 Server) to work on I highly recommend picking up the Group Policy Management Console - it will give you a much nicer view of the policies than trying to find them in AD Users and Computers.
Chris DentPowerShell DeveloperCommented:

Ahh sorry I've been working with 2003 domains too long. Alimu and Deb are absolutely right.
Account Policies (i.e. the following) are per-domain by design:
Password Policy
Account Lockout Policy
Kerberos Policy.

Please don't try denying and/or blocking inheritance for your domain password policy.  These settings affect how objects in your domain communicate with the domain controllers.  Password changes occur on your domain controllers.  Kerberos sessions are established through your domain controllers, Account lockouts occur on your domain controllers. These are some of the reasons why this is set at the domain level, not further down the AD tree.  They affect how your domain controllers treat Password format, Account lockout settings and kerberos across the domain.  
Your domain controllers need to be satisfied with the format you're sending stuff through in.  Your domain controllers are not part of your local OU and don't care how you have the password policy configured there.  What would be the point of trying to set something at this level where it would only have the potential to trash user (or computer account) access to the domain.
Chris DentPowerShell DeveloperCommented:

Alimu is correct and my earlier comment should be ignored unless you have a Windows 2003 Domain - at which point the password policies become a lot more flexible.
mikeleebrlaAuthor Commented:
Thanks alot for everyone's input,,, unfortunately that the correct answer is what i was affraid of  and that password policies are per domain in 2000. But this does give me a great way to sell upgrading to 2003 to the powers that be in my organization.  I'll award points shortly.
mikeleebrlaAuthor Commented:
I know this question is closed but one important thing was left out i believe...  if i do move my domain from 2000 to 2003, can i have multiple password policies if my 2003 domain is at the 2000 functional level, or is this only available if i move my domain to the 2003 functional level.  See below:
2003-only functionality is only available if you are running in native mode (i.e. 2003 native).  2000 functional level means that only features available up to and including 2000 are available.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.