nobska
asked on
Multiple password policies in Active Directory
I would like to have 2 password policies in my Active Directory 2003 one with a strict password policy and one with a less restrictive password policy. Is it possible to filter out a user group from the GPO with the strict password policy by using the ACL on the GPO with the strict password policy?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Why is it not possible to filter the stronger password policy GPO from a particular group by using the ACL and placing that group in the Deny column?
Implementation detail of Active Directory - password polilcy is not stored in a Group Policy Object, it is an attribute of the Domain NC (which is why you only get one per domain). That you can edit this domain NC attribute via GPMC is an administrative convenience.
Password policy applies to domain controllers and that's where password change actually happens.
ASKER
Thank you for your help. I am disappointed by the answer but the two of you have saved us from an implementation nightmare. I will wait until we upgrade to Windows Server 2008 to implement the password policy change.
This is one of third party tools: http://nfrontsecurity.com/products/nfront-password-filter/
Toni