?
Solved

Primary OU with Computer Configuration GP and Sub OU's with Additional Computer Configurations GP's are not working

Posted on 2008-06-18
6
Medium Priority
?
419 Views
Last Modified: 2013-11-21
Windows 2003 R2 with SP2 running terminal server licenses.  What we want to do is have Group Policy Computer Configuration settings that apply to all OUs beneath the primary OU.  Under the primary OU will be sub-OUs that have unique Computer Configuration settings for the password policy.  

When we have the actual computer account under the primary OU, GP with general computer configurations applied at the same level, and password policy computer policy GP at the sub OU is that the sub OU policies will not work.  If we move the computer account under one of the sub-OUs then the sub OU policy over-rides the primary computer policy settings.  

Is there a way to have the computer account at the primary OU with the general computer configuration GP, and have the sub OU policies for the password policy?   If so, please explain how to accomplish this.
0
Comment
Question by:rogeneca
6 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 21818291
In Windows Server 2000 and 2003, you can only have one password policy per domain without resorting to 3rd-party software.

In 2008 you can define fine-grained password policies on the basis of security group membership, not on the basis of OU membership.
0
 

Author Comment

by:rogeneca
ID: 21818316
Actually the primary computer configuration does not include anything about the password policy, but what I think you are saying is that each sub-ou is not able to have a different password policy even if we wanted it to.  Correct?

Why does it work with the Computer in the sub-ou, but not when the Computer is in the primary OU?
0
 

Author Comment

by:rogeneca
ID: 21818321
One other comment, our Default Domain Policy has one password policy and the OU we are discussing has a different one and it does work, but not as we want it to.  
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21818323
It shouldn't.  Other GP settings can be set selectively at the OU/sub-OU level, but password policies can only be set once at the domain level.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21818328
I'm not clear on what you are saying here but the advice you were given is 100% correct. You can only have one password and account policy per domain. normally set in the default domain policy.

Any password and/or account policy set elsewhere is simply ignored and will have no affect whatsoever, All OUs and sub-OUs must have the same policy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21818707
Its ignored at a domain level yes - but appying a password policy to an OU will affect the local user accounts on the machines within the OU
0

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question