AD - Group Policy - passwords

Posted on 2006-04-27
Last Modified: 2010-04-13
I work with  AD and GPO a bit but am totally confused by passwords. It's just that the sttings to control passwords are in the 'Computer configuration' section and to me it should be associated with ;User Configuration'.
I've also read that paqssword settings configured at domain level can NOT be overwritten at OU level.... again this confuses me because surely if I block policy inherintance at OU  and  put on Enforce (or No override as it was called) at OU the my new password settings should be applied ??

I'm just looking for an overview of how passowrds in ADS and GPO work
Question by:lkav
    LVL 4

    Expert Comment

    Basically all your AD users are held in AD, thus only the final policy affecting the DC's win. Trying to force different DC's to diffent policy not a good idea either.

    Really does not matter where the users reside in the OU structure. You can affect the local systems policy to be different on workstations, but still does not affect domain users.

    Author Comment

    below is a mail I mail I came across that explains my problem perfectly ... unfortunately the guy never got an answer ... can anyone help us ?

    I need a bit of clarification on the way our AD password policy is being implemented. Everything I've ever read on the
    subject seems to tell me that what we're currently doing shouldn't work, yet it has been working for us flawlessly for over 2
    years. I am getting ready to upgrade our domain to 2003 Server, and I really need to solidify my understanding of our current configuration. Here's a quick rundown of our environment:

    -We are currently running a single Win2K domain.
    -Our default domain policy contains a fairly strong password policy that specifies a max password age of 90 days, minimum age of 10 days, minimum length of 6 characters, and complexity requirements are enabled. This policy works fine across the
    -We have an OU set up to contain all of our domain service user accounts(no computers reside in this OU). We can't have our service account passwords expiring, so when I created the OU, I blocked the default domain policy inheritance and created a new GPO that is linked only to this OU. The password policy is the same as the default domain policy with the exception of the max password age, which is infinite.
    -These service accounts are primarily used to log on our many SQL servers' SQL services. The computer accounts for all of
    these servers reside either in the default Computers container, or in a separate OU that contains our critical production
    servers(which is blocking domain policy inheritance and has it's own GPO with a strong password policy).

    Now everything I've read tells me that password policies can only be applied at the domain level. If this is the case, why is
    my service account password policy working? It has been applied only to the Service Account OU.

    The other thing I have always been a bit confused by (and have never found a straight answer from MS), is that the password policy is part of the GPO's Computer Configuration settings. Given this fact, I have two related questions:

    A: How is it that these Service Accounts (that have an infinite max password age specified in the GPO) don't have their
    passwords expire when they're logged into a server that has the default domain policy applied to it, that has a 90 day max
    password age?
    B: Why does the Service Account password policy work in the first place, given that it's part of the GPO's computer
    configuration and not the User configuration(remember the Service Accounts OU contains only user accounts)?

    I apologize for being so long win...
    LVL 9

    Accepted Solution

    MS courses 2278 and 2279 do a good job of explaining passwords, and GPO's.

    Briefly, passwords are considered a "security" setting those types of settings are only allowed in the Default Domain Policy. It affects all users regardless where their accounts sit in the AD structure.

    The reason that it is set in the computer section and not the user section, is because the DC, where passwords are checked, is a computer, and not a user.

    Service accounts are a bit different... here is a link to a security article on the MS site, hopefully this can help some too.

    Good Luck,


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now