?
Solved

Enforcing password policy

Posted on 2007-11-30
8
Medium Priority
?
993 Views
Last Modified: 2012-05-05
I am trying to enforce a GPO password policy for all our domain users, and would prefer to implement this on individual user OU's. I changed the Default Domain Policy by going to Computer Configuration -> Workstation Settings -> Security Settings -> Account Policies -> Password Policy. My changes including password complexity worked, however, only at the computer level i.e. local accounts. How do I enforce a password policy at the domain level so it applies to specific domain users?
0
Comment
Question by:qwert5905
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 1000 total points
ID: 20385822
You cant - the password policy (and account policy) can only be applied at the domain level - not at the OU.
0
 
LVL 5

Expert Comment

by:Engineer_JO
ID: 20385864
yes you can't implement the password policy on user or OU level. you can implement it on domain level.

Best Luck
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20385896
... to expand on my first commenr -  in windows 2000 and 2003 the same password and account policies must be applied at the domain and applies throughout the domain - you cannot have a different polict for different users, groups or OUs.

In Windows 2008 (due soon), the ability to have different policies on OUs has been added.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:qwert5905
ID: 20386201
Thanks for everyone's comments. So, why is the password policy updating the local computer policy and not affecting the network user accounts? I understand that the I've made changes to the Computer Configuration, which affects computers, however, why is this password policy modifed on the Default Domain Policy not enforced when I force password changes on network accounts?
Chris
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20386217
In a domain the domain policy takes presidence over the local policy, the domain policy will apply to domain accounts.

To force the policy to update after immediately you need to run GPUPDATE /force from the run option
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 1000 total points
ID: 20386653
To clarify what's been said so far:

1)  Password Policies affect Network (Domain) logons when set in the Default Domain Policy.
2)  You can only have one Password Policy per domain in Server 2003 (and 2000).
3)  Setting Password Policies at the OU level affect ONLY local accounts on the workstations.
4)  Once the Domain Policy has been modified, the password policy only takes effect for new accounts, password resets when passwords expires.  It does not take effect until such time.

0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question