Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Enforcing password policy

Posted on 2007-11-30
8
986 Views
Last Modified: 2012-05-05
I am trying to enforce a GPO password policy for all our domain users, and would prefer to implement this on individual user OU's. I changed the Default Domain Policy by going to Computer Configuration -> Workstation Settings -> Security Settings -> Account Policies -> Password Policy. My changes including password complexity worked, however, only at the computer level i.e. local accounts. How do I enforce a password policy at the domain level so it applies to specific domain users?
0
Comment
Question by:qwert5905
8 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 250 total points
ID: 20385822
You cant - the password policy (and account policy) can only be applied at the domain level - not at the OU.
0
 
LVL 5

Expert Comment

by:Engineer_JO
ID: 20385864
yes you can't implement the password policy on user or OU level. you can implement it on domain level.

Best Luck
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20385896
... to expand on my first commenr -  in windows 2000 and 2003 the same password and account policies must be applied at the domain and applies throughout the domain - you cannot have a different polict for different users, groups or OUs.

In Windows 2008 (due soon), the ability to have different policies on OUs has been added.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:qwert5905
ID: 20386201
Thanks for everyone's comments. So, why is the password policy updating the local computer policy and not affecting the network user accounts? I understand that the I've made changes to the Computer Configuration, which affects computers, however, why is this password policy modifed on the Default Domain Policy not enforced when I force password changes on network accounts?
Chris
0
 
LVL 70

Expert Comment

by:KCTS
ID: 20386217
In a domain the domain policy takes presidence over the local policy, the domain policy will apply to domain accounts.

To force the policy to update after immediately you need to run GPUPDATE /force from the run option
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 250 total points
ID: 20386653
To clarify what's been said so far:

1)  Password Policies affect Network (Domain) logons when set in the Default Domain Policy.
2)  You can only have one Password Policy per domain in Server 2003 (and 2000).
3)  Setting Password Policies at the OU level affect ONLY local accounts on the workstations.
4)  Once the Domain Policy has been modified, the password policy only takes effect for new accounts, password resets when passwords expires.  It does not take effect until such time.

0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question