Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policies

Posted on 2008-06-19
13
Medium Priority
?
362 Views
Last Modified: 2010-03-17
Good Afternoon,

As in (i'm guessing) most companies we have serveral groups with different policies applied in AD. Now password policies currently set so that only we can change the passwords on a users account. We would like to change this, we would like to set it so that HO (Head Office) users are asked to change their password on a regular basis (say once a month) and other users (mainly External laptop users) are not asked to do this. The problem that I forsee is that these users are not split in these groups they are split into depatmental groups so if you apply it to say an accounts group it would affect everyone in that group and not just the HO users that we want it to.

We would like to be able to do this without doing it by user.

Any help would be much appreciated and if you need anymore information please ask.

Thanks in Advance

Alex
0
Comment
Question by:Alex-Kay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 2

Assisted Solution

by:Donald_Gibson
Donald_Gibson earned 100 total points
ID: 21822619
If I understand the question, you can apply the passwords to OU (Organizational Units) within ADUC (Active Directory Users and Computers).  Basically, make an OU (or use an existing one) and have the groups you want to affect fall under that umbrella.  Then modify the policy on the OU by going to ADUC right mouse clickong on that OU, properties, and there is something like 'manage policies' i believe.
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 21822695
This is not possible under 2000 or 2003 Active Directory.  They only permit a single set of password policies for a domain.  Password policies cannot be set at the OU level.  To create separate ones you would have to create separate domains.

Server 2008 AD does allow Fine-Grained Password Policies.
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx

0
 
LVL 1

Author Comment

by:Alex-Kay
ID: 21822865
Ok that said, Can you add a password policy to the root of a domain and then set a policy to disable it on a specific OU?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21822932
You would select Block inheritance on the Group Policy at the OU level.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 100 total points
ID: 21822971
Also, if you want the group policy not to affect certain group of users you would go to the security tab of the group policy then add the group in the permissions you would select deny Apply group policy.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1300 total points
ID: 21823020
dariusg, this answer is incorrect as it pertains to AD domain accounts.  Setting Block Inheritance on an OU will not affect the domain password policy or account lockout policies; it will only affect any other GP policies that were configured at a higher level than the OU that has Block Inheritance configured.

Password policies and account lockout policies are attributes of the domain object; they are only exposed via the GPMC as an administrative convenience.  The only way to exempt one or more users from the domain-wide password policy in 200/3 is to use the "password never expires" flag; however, the users will still be subject to account lockout policies and any password length/complexity requirements.
0
 
LVL 4

Assisted Solution

by:oks1977
oks1977 earned 100 total points
ID: 21823123
Hi Alex-Kay,

No, you could not set a policy to disable it on a specific OU as the settings affects all users ad computers in the domain. However, a another workaround might be as below:

For those users which are not adhere to password change policy, you can create a OU and pull those users and computers into this OU and ask them to log on locally. In doing so, the password policies applied @ OU level will affect them.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21823779
Sorry Alex-Kay! LauraEHunterMVP is correct you can't block inheritance on a domain password policy. I didn't fully read the question.
0
 
LVL 1

Author Comment

by:Alex-Kay
ID: 21844899
oks1977,

That won't work as we need other policies to be applied to these machines and accounts so they must log onto the domain. (at least when they are connected)

How about if we set up a seperate domain for those users that log on externally or from other locations? would that be a feesable option?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 1300 total points
ID: 21845306
Feasible, yes, but creates a great deal of complexity to manage.  At this point I'd be more likely to recommend going to 2K8 AD, which allows for multiple password policies in a single domain.
0
 
LVL 1

Author Comment

by:Alex-Kay
ID: 21845652
I had thought of that aswell but there is some cost involved in doing that so I was hoping that I could find a work around.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21845679
Your workaround is a separate domain, for which there will also be cost involved in establishing and maintaining a more complex infrastructure.  As they say, you can pay now or you can pay later.
0
 
LVL 1

Author Comment

by:Alex-Kay
ID: 21845751
HAHA

right well I'm going to have to run this past the Director to see if I can get it approved or if they would prefer to leave it as it is for the moment. (Although I can't imagine they will as there is a security risk).

Thank you for your help
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question