Group Policies

Good Afternoon,

As in (i'm guessing) most companies we have serveral groups with different policies applied in AD. Now password policies currently set so that only we can change the passwords on a users account. We would like to change this, we would like to set it so that HO (Head Office) users are asked to change their password on a regular basis (say once a month) and other users (mainly External laptop users) are not asked to do this. The problem that I forsee is that these users are not split in these groups they are split into depatmental groups so if you apply it to say an accounts group it would affect everyone in that group and not just the HO users that we want it to.

We would like to be able to do this without doing it by user.

Any help would be much appreciated and if you need anymore information please ask.

Thanks in Advance

Alex
LVL 1
Alex-KayAsked:
Who is Participating?
 
LauraEHunterMVPConnect With a Mentor Commented:
dariusg, this answer is incorrect as it pertains to AD domain accounts.  Setting Block Inheritance on an OU will not affect the domain password policy or account lockout policies; it will only affect any other GP policies that were configured at a higher level than the OU that has Block Inheritance configured.

Password policies and account lockout policies are attributes of the domain object; they are only exposed via the GPMC as an administrative convenience.  The only way to exempt one or more users from the domain-wide password policy in 200/3 is to use the "password never expires" flag; however, the users will still be subject to account lockout policies and any password length/complexity requirements.
0
 
Donald_GibsonConnect With a Mentor Commented:
If I understand the question, you can apply the passwords to OU (Organizational Units) within ADUC (Active Directory Users and Computers).  Basically, make an OU (or use an existing one) and have the groups you want to affect fall under that umbrella.  Then modify the policy on the OU by going to ADUC right mouse clickong on that OU, properties, and there is something like 'manage policies' i believe.
0
 
Shift-3Commented:
This is not possible under 2000 or 2003 Active Directory.  They only permit a single set of password policies for a domain.  Password policies cannot be set at the OU level.  To create separate ones you would have to create separate domains.

Server 2008 AD does allow Fine-Grained Password Policies.
http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Alex-KayAuthor Commented:
Ok that said, Can you add a password policy to the root of a domain and then set a policy to disable it on a specific OU?
0
 
Darius GhassemCommented:
You would select Block inheritance on the Group Policy at the OU level.
0
 
Darius GhassemConnect With a Mentor Commented:
Also, if you want the group policy not to affect certain group of users you would go to the security tab of the group policy then add the group in the permissions you would select deny Apply group policy.
0
 
oks1977Connect With a Mentor Commented:
Hi Alex-Kay,

No, you could not set a policy to disable it on a specific OU as the settings affects all users ad computers in the domain. However, a another workaround might be as below:

For those users which are not adhere to password change policy, you can create a OU and pull those users and computers into this OU and ask them to log on locally. In doing so, the password policies applied @ OU level will affect them.
0
 
Darius GhassemCommented:
Sorry Alex-Kay! LauraEHunterMVP is correct you can't block inheritance on a domain password policy. I didn't fully read the question.
0
 
Alex-KayAuthor Commented:
oks1977,

That won't work as we need other policies to be applied to these machines and accounts so they must log onto the domain. (at least when they are connected)

How about if we set up a seperate domain for those users that log on externally or from other locations? would that be a feesable option?
0
 
LauraEHunterMVPConnect With a Mentor Commented:
Feasible, yes, but creates a great deal of complexity to manage.  At this point I'd be more likely to recommend going to 2K8 AD, which allows for multiple password policies in a single domain.
0
 
Alex-KayAuthor Commented:
I had thought of that aswell but there is some cost involved in doing that so I was hoping that I could find a work around.
0
 
LauraEHunterMVPCommented:
Your workaround is a separate domain, for which there will also be cost involved in establishing and maintaining a more complex infrastructure.  As they say, you can pay now or you can pay later.
0
 
Alex-KayAuthor Commented:
HAHA

right well I'm going to have to run this past the Director to see if I can get it approved or if they would prefer to leave it as it is for the moment. (Although I can't imagine they will as there is a security risk).

Thank you for your help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.