Solved

Primary OU with Computer Configuration GP and Sub OU's with Additional Computer Configurations GP's are not working

Posted on 2008-06-18
6
407 Views
Last Modified: 2013-11-21
Windows 2003 R2 with SP2 running terminal server licenses.  What we want to do is have Group Policy Computer Configuration settings that apply to all OUs beneath the primary OU.  Under the primary OU will be sub-OUs that have unique Computer Configuration settings for the password policy.  

When we have the actual computer account under the primary OU, GP with general computer configurations applied at the same level, and password policy computer policy GP at the sub OU is that the sub OU policies will not work.  If we move the computer account under one of the sub-OUs then the sub OU policy over-rides the primary computer policy settings.  

Is there a way to have the computer account at the primary OU with the general computer configuration GP, and have the sub OU policies for the password policy?   If so, please explain how to accomplish this.
0
Comment
Question by:rogeneca
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 21818291
In Windows Server 2000 and 2003, you can only have one password policy per domain without resorting to 3rd-party software.

In 2008 you can define fine-grained password policies on the basis of security group membership, not on the basis of OU membership.
0
 

Author Comment

by:rogeneca
ID: 21818316
Actually the primary computer configuration does not include anything about the password policy, but what I think you are saying is that each sub-ou is not able to have a different password policy even if we wanted it to.  Correct?

Why does it work with the Computer in the sub-ou, but not when the Computer is in the primary OU?
0
 

Author Comment

by:rogeneca
ID: 21818321
One other comment, our Default Domain Policy has one password policy and the OU we are discussing has a different one and it does work, but not as we want it to.  
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21818323
It shouldn't.  Other GP settings can be set selectively at the OU/sub-OU level, but password policies can only be set once at the domain level.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21818328
I'm not clear on what you are saying here but the advice you were given is 100% correct. You can only have one password and account policy per domain. normally set in the default domain policy.

Any password and/or account policy set elsewhere is simply ignored and will have no affect whatsoever, All OUs and sub-OUs must have the same policy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21818707
Its ignored at a domain level yes - but appying a password policy to an OU will affect the local user accounts on the machines within the OU
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question