Multiple password policies in Active Directory

I would like to have 2 password policies in my Active Directory 2003 one with a strict password policy and one with a less restrictive password policy. Is it possible to filter out a user group from the GPO with the strict password policy by using the ACL on the GPO with the strict password policy?
nobskaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LauraEHunterMVPCommented:
Not possible until Windows Server 2008 without third-party tools.  2000 and 2003 AD support only a single password policy per domain natively.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Toni UranjekConsultant/TrainerCommented:
Hi!

This is one of third party tools: http://nfrontsecurity.com/products/nfront-password-filter/

Toni
0
nobskaAuthor Commented:
Why is it not possible to filter the stronger password policy GPO from a particular group by using the ACL and placing that group in the Deny column?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

LauraEHunterMVPCommented:
Implementation detail of Active Directory - password polilcy is not stored in a Group Policy Object, it is an attribute of the Domain NC (which is why you only get one per domain). That you can edit this domain NC attribute via GPMC is an administrative convenience.
0
Toni UranjekConsultant/TrainerCommented:
Password policy applies to domain controllers and that's where password change actually happens.
0
nobskaAuthor Commented:
Thank you for your help. I am disappointed by the answer but the two of you have saved us from an implementation nightmare. I will wait until we upgrade to Windows Server 2008 to implement the password policy change.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.