?
Solved

Primary OU with Computer Configuration GP and Sub OU's with Additional Computer Configurations GP's are not working

Posted on 2008-06-18
6
Medium Priority
?
411 Views
Last Modified: 2013-11-21
Windows 2003 R2 with SP2 running terminal server licenses.  What we want to do is have Group Policy Computer Configuration settings that apply to all OUs beneath the primary OU.  Under the primary OU will be sub-OUs that have unique Computer Configuration settings for the password policy.  

When we have the actual computer account under the primary OU, GP with general computer configurations applied at the same level, and password policy computer policy GP at the sub OU is that the sub OU policies will not work.  If we move the computer account under one of the sub-OUs then the sub OU policy over-rides the primary computer policy settings.  

Is there a way to have the computer account at the primary OU with the general computer configuration GP, and have the sub OU policies for the password policy?   If so, please explain how to accomplish this.
0
Comment
Question by:rogeneca
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 21818291
In Windows Server 2000 and 2003, you can only have one password policy per domain without resorting to 3rd-party software.

In 2008 you can define fine-grained password policies on the basis of security group membership, not on the basis of OU membership.
0
 

Author Comment

by:rogeneca
ID: 21818316
Actually the primary computer configuration does not include anything about the password policy, but what I think you are saying is that each sub-ou is not able to have a different password policy even if we wanted it to.  Correct?

Why does it work with the Computer in the sub-ou, but not when the Computer is in the primary OU?
0
 

Author Comment

by:rogeneca
ID: 21818321
One other comment, our Default Domain Policy has one password policy and the OU we are discussing has a different one and it does work, but not as we want it to.  
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21818323
It shouldn't.  Other GP settings can be set selectively at the OU/sub-OU level, but password policies can only be set once at the domain level.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21818328
I'm not clear on what you are saying here but the advice you were given is 100% correct. You can only have one password and account policy per domain. normally set in the default domain policy.

Any password and/or account policy set elsewhere is simply ignored and will have no affect whatsoever, All OUs and sub-OUs must have the same policy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21818707
Its ignored at a domain level yes - but appying a password policy to an OU will affect the local user accounts on the machines within the OU
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question