Solved

Policy and blocking inheritance.

Posted on 2006-06-15
16
407 Views
Last Modified: 2010-04-18
Hi Peeps,

I dont think this a tough one but just wanted to get a confirmation from the experts.
Basically I have a bunch of OU's and I want to set a domain policy to enforce passwords to be a certain character length.
However, I do not want to affect of of the OU's which is the server logins. I need them to be unaffected by the domain level policy.
I thought it was as simple as blocking policy inheritance on that specific OU but from reading certain things here, that is not the case.

How can I apply a domain level policy to all users, (Marketing OU, Finance OU, Developers OU, etc etc) without affecting the Servers login usernames OU.

Thanks folks,
Raf
0
Comment
Question by:dqnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +2
16 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 100 total points
ID: 16910403
before you go any further with this, a password policy really should incorporate your entire domain structure - just my two cents

you can look at using security filtering if you really want users filtered out
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html

0
 
LVL 85

Accepted Solution

by:
oBdA earned 100 total points
ID: 16910408
You can't without a third party tool like Anixis's Password Policy Enforcer (http://www.anixis.com/).
You can only have one password policy per domain, and it has to be linked to the domain root; you can't apply (or block) domain password policies to OUs (password policies defined in an OU will only apply to *local* accounts on machines in that OU).

Step-by-Step Guide to Enforcing Strong Password Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
0
 
LVL 9

Expert Comment

by:vsg375
ID: 16910414
Hi,

Did you just block inheritance, or did you explicitly deny the policy on the OU ?

Cheers
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 9

Expert Comment

by:vsg375
ID: 16910418
hmmm...was late posting that one, as usual ;o)  Jay and oBdA, your'e definitely too fast for me ;o)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16910433
:-) just got lucky, spammed my keyboard and something legible came forth ;-)
0
 

Author Comment

by:dqnet
ID: 16911974
Hey Jay Jay!
How ya doing pal?

Ok, what about this... Would it be possible to implement a domain wide policy but to set the accounts / usernames in which I dont want there password to expire in 30 days as 'Password never expires'.

That way, whatever the password is now, it will never ask me to change it for it to even meet the 15 character complexity rule?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 16911999
Yes, that would work.
0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 16913292
I like that comment Jay_Jay70 :D
Looks like dqnet is thinking outside the box ;)

Cheers

kshays
0
 

Author Comment

by:dqnet
ID: 16914419
Hahaha :)

Ok so one thing, when I go to change the passwords for the servers logins myself, the domain wide rule will apply then yea?
Like I will have to follow the same rules and regulations as I set for the domain (including all the other OU's)

Correct?

Thanks folks...!
0
 
LVL 85

Expert Comment

by:oBdA
ID: 16914431
Exactly. Unless you disable the password policy while changing the passwords ...
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16916517
hey mate how are ya :) sorry for late response, i was in Bed :-P!

looks like you have been looked after though :) can i ask why you want to exclude users from a strong password policy?
0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 16916994
I agree with Jay here, the more complex and longer the password is the better.  Of course trying to get this implemented to the staff and management is a pain though.  They just don't quite get why my domain admin password is complex with a couple of phrases and between 25-40 characters long.  They believe password should = username1 or username2

DOH!!!!

I tell you there is not a day goes by that I don't get a good laugh :)

kshays

PS:  Not saying you were trying to influence the auther into weak paswords oBdA :)

0
 

Author Comment

by:dqnet
ID: 16918750
Ahh! Excellent! Simply excellent.. I'll disable it when I come to change the server passwords.

Hahahahah! :)

Well the good news is I got them to follow the policy regardless. They have no choice now! >:)
However, Its the Server Logins that I cant keep changing, I have like 5-10 logins and to set a 15 character password for each of them that meets complexity requirements is putting a bit of strain on what needs to be remembered. I set all of them to STRONG passwords, nobody knows them and I just thought keeping them at that would be sufficient?
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16920308
i see what you mean and can understand it, that is your perogative if you want to keep it like that :)
0
 

Author Comment

by:dqnet
ID: 16920782
Well guys!

Thank you all for your help.

I didnt know exactly who to assign the points to as you've all been helpfull.
I simply bumped the points to 200 and divded it between you guys.

Thanks again folks!!
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16921891
thankyou
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question