Primary OU with Computer Configuration GP and Sub OU's with Additional Computer Configurations GP's are not working

Windows 2003 R2 with SP2 running terminal server licenses.  What we want to do is have Group Policy Computer Configuration settings that apply to all OUs beneath the primary OU.  Under the primary OU will be sub-OUs that have unique Computer Configuration settings for the password policy.  

When we have the actual computer account under the primary OU, GP with general computer configurations applied at the same level, and password policy computer policy GP at the sub OU is that the sub OU policies will not work.  If we move the computer account under one of the sub-OUs then the sub OU policy over-rides the primary computer policy settings.  

Is there a way to have the computer account at the primary OU with the general computer configuration GP, and have the sub OU policies for the password policy?   If so, please explain how to accomplish this.
rogenecaAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
LauraEHunterMVPConnect With a Mentor Commented:
In Windows Server 2000 and 2003, you can only have one password policy per domain without resorting to 3rd-party software.

In 2008 you can define fine-grained password policies on the basis of security group membership, not on the basis of OU membership.
0
 
rogenecaAuthor Commented:
Actually the primary computer configuration does not include anything about the password policy, but what I think you are saying is that each sub-ou is not able to have a different password policy even if we wanted it to.  Correct?

Why does it work with the Computer in the sub-ou, but not when the Computer is in the primary OU?
0
 
rogenecaAuthor Commented:
One other comment, our Default Domain Policy has one password policy and the OU we are discussing has a different one and it does work, but not as we want it to.  
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
LauraEHunterMVPCommented:
It shouldn't.  Other GP settings can be set selectively at the OU/sub-OU level, but password policies can only be set once at the domain level.
0
 
KCTSCommented:
I'm not clear on what you are saying here but the advice you were given is 100% correct. You can only have one password and account policy per domain. normally set in the default domain policy.

Any password and/or account policy set elsewhere is simply ignored and will have no affect whatsoever, All OUs and sub-OUs must have the same policy
0
 
Jay_Jay70Commented:
Its ignored at a domain level yes - but appying a password policy to an OU will affect the local user accounts on the machines within the OU
0
All Courses

From novice to tech pro — start learning today.