We help IT Professionals succeed at work.

Multiple password policies in Active Directory

I would like to have 2 password policies in my Active Directory 2003 one with a strict password policy and one with a less restrictive password policy. Is it possible to filter out a user group from the GPO with the strict password policy by using the ACL on the GPO with the strict password policy?
Comment
Watch Question

Not possible until Windows Server 2008 without third-party tools.  2000 and 2003 AD support only a single password policy per domain natively.
Toni UranjekConsultant/Trainer

Commented:
Hi!

This is one of third party tools: http://nfrontsecurity.com/products/nfront-password-filter/

Toni

Author

Commented:
Why is it not possible to filter the stronger password policy GPO from a particular group by using the ACL and placing that group in the Deny column?
Implementation detail of Active Directory - password polilcy is not stored in a Group Policy Object, it is an attribute of the Domain NC (which is why you only get one per domain). That you can edit this domain NC attribute via GPMC is an administrative convenience.
Toni UranjekConsultant/Trainer

Commented:
Password policy applies to domain controllers and that's where password change actually happens.

Author

Commented:
Thank you for your help. I am disappointed by the answer but the two of you have saved us from an implementation nightmare. I will wait until we upgrade to Windows Server 2008 to implement the password policy change.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.