Clarification Needed on GPO Password Policy Implementation (Win2K)

Posted on 2005-05-13
Last Modified: 2010-04-12
Hello All,
I need a bit of clarification on the way our AD password policy is being implemented. Everything I've ever read on the
subject seems to tell me that what we're currently doing shouldn't work, yet it has been working for us flawlessly for over 2
years. I am getting ready to upgrade our domain to 2003 Server, and I really need to solidify my understanding of our current configuration. Here's a quick rundown of our environment:

-We are currently running a single Win2K domain.
-Our default domain policy contains a fairly strong password policy that specifies a max password age of 90 days, minimum age of 10 days, minimum length of 6 characters, and complexity requirements are enabled. This policy works fine across the
-We have an OU set up to contain all of our domain service user accounts(no computers reside in this OU). We can't have our service account passwords expiring, so when I created the OU, I blocked the default domain policy inheritance and created a new GPO that is linked only to this OU. The password policy is the same as the default domain policy with the exception of the max password age, which is infinite.
-These service accounts are primarily used to log on our many SQL servers' SQL services. The computer accounts for all of
these servers reside either in the default Computers container, or in a separate OU that contains our critical production
servers(which is blocking domain policy inheritance and has it's own GPO with a strong password policy).

Now everything I've read tells me that password policies can only be applied at the domain level. If this is the case, why is
my service account password policy working? It has been applied only to the Service Account OU.

The other thing I have always been a bit confused by (and have never found a straight answer from MS), is that the password policy is part of the GPO's Computer Configuration settings. Given this fact, I have two related questions:

A: How is it that these Service Accounts (that have an infinite max password age specified in the GPO) don't have their
passwords expire when they're logged into a server that has the default domain policy applied to it, that has a 90 day max
password age?
B: Why does the Service Account password policy work in the first place, given that it's part of the GPO's computer
configuration and not the User configuration(remember the Service Accounts OU contains only user accounts)?

I apologize for being so long winded, but this has been driving me a bit nutty. Any guidance on this will be greatly
Question by:jbaker151
    LVL 25

    Accepted Solution

    you are correct... password policies can only be applied at the domain level, but that doesn't mean they can't be blocked though.  that is why your current setup works.  Most people try to set DIFFERENT password polices (which should be possible in 2000, but it isnn't) but in your case you just have one policy, and that policy isn't applied to that specific OU.  

    also, you are correct, it makes NO sense what-so-ever to have a password policy part of the computer policy. USERS have passwords, not computers.

    also,,, you could have saved yourself alot of work by just checking the "password never expires" checkbox on your service accounts. doing that overrides whatever domain policy is set.
    LVL 25

    Expert Comment

    this might help, it was a question asked by be a while back.  I'm posting it here so we don't reinvent the wheel:

    Author Comment

    Thanks for the quick response. Just to be clear, I did try setting a different password policy on the OU in question (it specified the infinite max password age). Your comment about the "password never expires" checkbox says it all though; It turns out that this is checked on all of these service accounts, which is why the OU policy SEEMS to work! I must have checked the box when I originally created all the accounts, and just forgot about it. EUREKA!
    Reading through the responses to your question cleared everything else up too...finally.
    Thanks Much,
    LVL 25

    Expert Comment

    although checking password never expires will "Block" the policy for sure, if you also blocked it via blocking the policy at the OU level also you are probably blocking all of the domain policies also.  The link i posted above has a comment about how it is not good to block the default domain policy so you might want to not block it on that OU.

    Author Comment

    Good call.Thanks again for your help...

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now