Solved

Group Policies

Posted on 2008-06-19
13
348 Views
Last Modified: 2010-03-17
Good Afternoon,

As in (i'm guessing) most companies we have serveral groups with different policies applied in AD. Now password policies currently set so that only we can change the passwords on a users account. We would like to change this, we would like to set it so that HO (Head Office) users are asked to change their password on a regular basis (say once a month) and other users (mainly External laptop users) are not asked to do this. The problem that I forsee is that these users are not split in these groups they are split into depatmental groups so if you apply it to say an accounts group it would affect everyone in that group and not just the HO users that we want it to.

We would like to be able to do this without doing it by user.

Any help would be much appreciated and if you need anymore information please ask.

Thanks in Advance

Alex
0
Comment
Question by:Alex-Kay
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 2

Assisted Solution

by:Donald_Gibson
Donald_Gibson earned 25 total points
Comment Utility
If I understand the question, you can apply the passwords to OU (Organizational Units) within ADUC (Active Directory Users and Computers).  Basically, make an OU (or use an existing one) and have the groups you want to affect fall under that umbrella.  Then modify the policy on the OU by going to ADUC right mouse clickong on that OU, properties, and there is something like 'manage policies' i believe.
0
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
This is not possible under 2000 or 2003 Active Directory.  They only permit a single set of password policies for a domain.  Password policies cannot be set at the OU level.  To create separate ones you would have to create separate domains.

Server 2008 AD does allow Fine-Grained Password Policies.
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx

0
 
LVL 1

Author Comment

by:Alex-Kay
Comment Utility
Ok that said, Can you add a password policy to the root of a domain and then set a policy to disable it on a specific OU?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You would select Block inheritance on the Group Policy at the OU level.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 25 total points
Comment Utility
Also, if you want the group policy not to affect certain group of users you would go to the security tab of the group policy then add the group in the permissions you would select deny Apply group policy.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 325 total points
Comment Utility
dariusg, this answer is incorrect as it pertains to AD domain accounts.  Setting Block Inheritance on an OU will not affect the domain password policy or account lockout policies; it will only affect any other GP policies that were configured at a higher level than the OU that has Block Inheritance configured.

Password policies and account lockout policies are attributes of the domain object; they are only exposed via the GPMC as an administrative convenience.  The only way to exempt one or more users from the domain-wide password policy in 200/3 is to use the "password never expires" flag; however, the users will still be subject to account lockout policies and any password length/complexity requirements.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 4

Assisted Solution

by:oks1977
oks1977 earned 25 total points
Comment Utility
Hi Alex-Kay,

No, you could not set a policy to disable it on a specific OU as the settings affects all users ad computers in the domain. However, a another workaround might be as below:

For those users which are not adhere to password change policy, you can create a OU and pull those users and computers into this OU and ask them to log on locally. In doing so, the password policies applied @ OU level will affect them.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Sorry Alex-Kay! LauraEHunterMVP is correct you can't block inheritance on a domain password policy. I didn't fully read the question.
0
 
LVL 1

Author Comment

by:Alex-Kay
Comment Utility
oks1977,

That won't work as we need other policies to be applied to these machines and accounts so they must log onto the domain. (at least when they are connected)

How about if we set up a seperate domain for those users that log on externally or from other locations? would that be a feesable option?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 325 total points
Comment Utility
Feasible, yes, but creates a great deal of complexity to manage.  At this point I'd be more likely to recommend going to 2K8 AD, which allows for multiple password policies in a single domain.
0
 
LVL 1

Author Comment

by:Alex-Kay
Comment Utility
I had thought of that aswell but there is some cost involved in doing that so I was hoping that I could find a work around.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
Your workaround is a separate domain, for which there will also be cost involved in establishing and maintaining a more complex infrastructure.  As they say, you can pay now or you can pay later.
0
 
LVL 1

Author Comment

by:Alex-Kay
Comment Utility
HAHA

right well I'm going to have to run this past the Director to see if I can get it approved or if they would prefer to leave it as it is for the moment. (Although I can't imagine they will as there is a security risk).

Thank you for your help
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now