Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Primary OU with Computer Configuration GP and Sub OU's with Additional Computer Configurations GP's are not working

Posted on 2008-06-18
6
406 Views
Last Modified: 2013-11-21
Windows 2003 R2 with SP2 running terminal server licenses.  What we want to do is have Group Policy Computer Configuration settings that apply to all OUs beneath the primary OU.  Under the primary OU will be sub-OUs that have unique Computer Configuration settings for the password policy.  

When we have the actual computer account under the primary OU, GP with general computer configurations applied at the same level, and password policy computer policy GP at the sub OU is that the sub OU policies will not work.  If we move the computer account under one of the sub-OUs then the sub OU policy over-rides the primary computer policy settings.  

Is there a way to have the computer account at the primary OU with the general computer configuration GP, and have the sub OU policies for the password policy?   If so, please explain how to accomplish this.
0
Comment
Question by:rogeneca
6 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 21818291
In Windows Server 2000 and 2003, you can only have one password policy per domain without resorting to 3rd-party software.

In 2008 you can define fine-grained password policies on the basis of security group membership, not on the basis of OU membership.
0
 

Author Comment

by:rogeneca
ID: 21818316
Actually the primary computer configuration does not include anything about the password policy, but what I think you are saying is that each sub-ou is not able to have a different password policy even if we wanted it to.  Correct?

Why does it work with the Computer in the sub-ou, but not when the Computer is in the primary OU?
0
 

Author Comment

by:rogeneca
ID: 21818321
One other comment, our Default Domain Policy has one password policy and the OU we are discussing has a different one and it does work, but not as we want it to.  
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21818323
It shouldn't.  Other GP settings can be set selectively at the OU/sub-OU level, but password policies can only be set once at the domain level.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 21818328
I'm not clear on what you are saying here but the advice you were given is 100% correct. You can only have one password and account policy per domain. normally set in the default domain policy.

Any password and/or account policy set elsewhere is simply ignored and will have no affect whatsoever, All OUs and sub-OUs must have the same policy
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 21818707
Its ignored at a domain level yes - but appying a password policy to an OU will affect the local user accounts on the machines within the OU
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question