Solved

Enforcing password policy

Posted on 2007-11-30
8
985 Views
Last Modified: 2012-05-05
I am trying to enforce a GPO password policy for all our domain users, and would prefer to implement this on individual user OU's. I changed the Default Domain Policy by going to Computer Configuration -> Workstation Settings -> Security Settings -> Account Policies -> Password Policy. My changes including password complexity worked, however, only at the computer level i.e. local accounts. How do I enforce a password policy at the domain level so it applies to specific domain users?
0
Comment
Question by:qwert5905
8 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 250 total points
ID: 20385822
You cant - the password policy (and account policy) can only be applied at the domain level - not at the OU.
0
 
LVL 5

Expert Comment

by:Engineer_JO
ID: 20385864
yes you can't implement the password policy on user or OU level. you can implement it on domain level.

Best Luck
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20385896
... to expand on my first commenr -  in windows 2000 and 2003 the same password and account policies must be applied at the domain and applies throughout the domain - you cannot have a different polict for different users, groups or OUs.

In Windows 2008 (due soon), the ability to have different policies on OUs has been added.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:qwert5905
ID: 20386201
Thanks for everyone's comments. So, why is the password policy updating the local computer policy and not affecting the network user accounts? I understand that the I've made changes to the Computer Configuration, which affects computers, however, why is this password policy modifed on the Default Domain Policy not enforced when I force password changes on network accounts?
Chris
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20386217
In a domain the domain policy takes presidence over the local policy, the domain policy will apply to domain accounts.

To force the policy to update after immediately you need to run GPUPDATE /force from the run option
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 250 total points
ID: 20386653
To clarify what's been said so far:

1)  Password Policies affect Network (Domain) logons when set in the Default Domain Policy.
2)  You can only have one Password Policy per domain in Server 2003 (and 2000).
3)  Setting Password Policies at the OU level affect ONLY local accounts on the workstations.
4)  Once the Domain Policy has been modified, the password policy only takes effect for new accounts, password resets when passwords expires.  It does not take effect until such time.

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question