Solved

Group Policies

Posted on 2008-06-19
13
361 Views
Last Modified: 2010-03-17
Good Afternoon,

As in (i'm guessing) most companies we have serveral groups with different policies applied in AD. Now password policies currently set so that only we can change the passwords on a users account. We would like to change this, we would like to set it so that HO (Head Office) users are asked to change their password on a regular basis (say once a month) and other users (mainly External laptop users) are not asked to do this. The problem that I forsee is that these users are not split in these groups they are split into depatmental groups so if you apply it to say an accounts group it would affect everyone in that group and not just the HO users that we want it to.

We would like to be able to do this without doing it by user.

Any help would be much appreciated and if you need anymore information please ask.

Thanks in Advance

Alex
0
Comment
Question by:Alex-Kay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +3
13 Comments
 
LVL 2

Assisted Solution

by:Donald_Gibson
Donald_Gibson earned 25 total points
ID: 21822619
If I understand the question, you can apply the passwords to OU (Organizational Units) within ADUC (Active Directory Users and Computers).  Basically, make an OU (or use an existing one) and have the groups you want to affect fall under that umbrella.  Then modify the policy on the OU by going to ADUC right mouse clickong on that OU, properties, and there is something like 'manage policies' i believe.
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 21822695
This is not possible under 2000 or 2003 Active Directory.  They only permit a single set of password policies for a domain.  Password policies cannot be set at the OU level.  To create separate ones you would have to create separate domains.

Server 2008 AD does allow Fine-Grained Password Policies.
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx

0
 
LVL 1

Author Comment

by:Alex-Kay
ID: 21822865
Ok that said, Can you add a password policy to the root of a domain and then set a policy to disable it on a specific OU?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21822932
You would select Block inheritance on the Group Policy at the OU level.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 25 total points
ID: 21822971
Also, if you want the group policy not to affect certain group of users you would go to the security tab of the group policy then add the group in the permissions you would select deny Apply group policy.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 325 total points
ID: 21823020
dariusg, this answer is incorrect as it pertains to AD domain accounts.  Setting Block Inheritance on an OU will not affect the domain password policy or account lockout policies; it will only affect any other GP policies that were configured at a higher level than the OU that has Block Inheritance configured.

Password policies and account lockout policies are attributes of the domain object; they are only exposed via the GPMC as an administrative convenience.  The only way to exempt one or more users from the domain-wide password policy in 200/3 is to use the "password never expires" flag; however, the users will still be subject to account lockout policies and any password length/complexity requirements.
0
 
LVL 4

Assisted Solution

by:oks1977
oks1977 earned 25 total points
ID: 21823123
Hi Alex-Kay,

No, you could not set a policy to disable it on a specific OU as the settings affects all users ad computers in the domain. However, a another workaround might be as below:

For those users which are not adhere to password change policy, you can create a OU and pull those users and computers into this OU and ask them to log on locally. In doing so, the password policies applied @ OU level will affect them.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 21823779
Sorry Alex-Kay! LauraEHunterMVP is correct you can't block inheritance on a domain password policy. I didn't fully read the question.
0
 
LVL 1

Author Comment

by:Alex-Kay
ID: 21844899
oks1977,

That won't work as we need other policies to be applied to these machines and accounts so they must log onto the domain. (at least when they are connected)

How about if we set up a seperate domain for those users that log on externally or from other locations? would that be a feesable option?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 325 total points
ID: 21845306
Feasible, yes, but creates a great deal of complexity to manage.  At this point I'd be more likely to recommend going to 2K8 AD, which allows for multiple password policies in a single domain.
0
 
LVL 1

Author Comment

by:Alex-Kay
ID: 21845652
I had thought of that aswell but there is some cost involved in doing that so I was hoping that I could find a work around.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21845679
Your workaround is a separate domain, for which there will also be cost involved in establishing and maintaining a more complex infrastructure.  As they say, you can pay now or you can pay later.
0
 
LVL 1

Author Comment

by:Alex-Kay
ID: 21845751
HAHA

right well I'm going to have to run this past the Director to see if I can get it approved or if they would prefer to leave it as it is for the moment. (Although I can't imagine they will as there is a security risk).

Thank you for your help
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question