Link to home
Start Free TrialLog in
Avatar of windowsn00b
windowsn00b

asked on

OU Level Group Policies

I have domain level group policies set, and one OU level group policy.  My goal is this:
Domain level password complexity is disabled for ease on users brains.  We have a high security department, and any groups inside it belong in the "HS-Groups" OU  There is a password policy in HS-Groups that requires password complexity for Authenticated Users.  Will the domain level policy override this, or will the OU level policy take precedence?  How can force the policy on the OU to take precedence but only for members of the groups in the OU?  (The user accounts are not in the OU, just the groups they belong to)  The goal is if a user suddenly gets added to one of the groups in this OU they have stricter screen saver, and password policies.
ASKER CERTIFIED SOLUTION
Avatar of Americom
Americom
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In addition, If you apply any password policy to an OU, and the OU has computer objects, it only affect those local users in those computer object.
SOLUTION
Avatar of Mike Kline
Mike Kline
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of windowsn00b
windowsn00b

ASKER

Ok, well I was testing the Resultant Set of Policy (Planning) on a user account, and for some reason it never sets the domain level password policy anymore.  It gives Xs next to the policies regarding that password policy.  Any ideas how to fix this?-
Now the only policy setting on RSoP is the login scripts policy.  The rest of them get a red X and it's starting to worry me.  If the GPO isn't working for the domain I might be in big trouble
So a password policy in an OU wont override a password policy domain wide/vise versa?  That's a dumb feature to leave out
Right, but that is why they added fine-grained passwords in Windows 2008 - they did listen to everyone asking for the features.
Now you will be able to set different policies to users or groups (not to OU's specfically)
 
Well I want it to be set to groups.  Doesn't gpmc allow that?
You may have problem with name resolution for those red Xs. You may need to check on your DCs and how those DNS is configured, it should point itself as DNS server in the TCP/IP settings.
Yes, password policy linked to OU does not override a domain password policy. What it will do, again, is only affect the local users of the computers inside of the OU where you appliy additional policy to.
Not for windows 2003 and older. GPMC is just a friendlier tools to manage GPOS.
SO without paying any more money, how can I make specific groups have a different password policy?
If it is impossible, then every user has to have a16 character complex password.  How can I edit the complexity requirements
You are going to have some angry users; I'd be careful making them have a 16 character password.
The minimum password length can be between 1-14 characters.  
Yes that's true.  There is no KB patch. or free product capable of allowing specific groups to have a tighter password policy then the rest of the domain?  The 3 user groups in the HS-Groups OU are the only ones that need a stricter policy
Unfortunately no...until you get to 2008 forest functional level.
Hmm anyone know the cost of specop for a domain with two DCs?  I don't want to upgrade to 2008 because it will use more resources, which I just don't have at the moment.
Not super cheap according to this  (about halfway down)
http://redmondmag.com/reviews/article.asp?editorialsid=538
I'd contact them and have them give you a quote.
Yeah, um, are there any other options, because I'd rather buy two new servers for that price, and install the 2008 copy we already possess.
If you have Win2k8 domain, you will need to spend a lot of $ for all your clients as the win2k3 CALs do not apply to Win2k8 CALs. That's the real cost for you not the win2k8 OS and not the hardware, those are nothing compare to the W2k8 CALs, unless your company is very small.
For some reason I completely forgot about CALs.  Don't they jsut refer to Terminal Services Client?  (Which we don't use) or are they for any machine that is joined to the domain?
no, they are two separate one. One is Windows CALs, and the other is specific to TS whcih is more expensive. TS is for remote connections, like users connected to Terminal Servers to run applications. Windows CAL is for user to access a Windows OS remotely, including authenticated to the Domain DC OS.
For some reason our copy of 2008 is 2008 Enterprise.  Now if I remember correctly CALs don't apply to enterprise copies.  I've never had to type/edit/read about a CAL while working with our servers, and we have 3 domain pcs to DCs and 30 something users right now. (Most users are exchange/VPN users)
it does, no different when comes to CALs.  Microsoft trust all of us to be honest up until Windows XP and windows 2008 for server license. As far as CALs, only TS you would have to registered and monitor by your TS license server. The Windows CALs is up to you to be honest. You have option during the OS installation for device or user mode, remember? usually we pick user mode and never have to worry about the exceed seesion popup....

30 users, than it's not too expensive, it will be less than $2k for Windows CALs, just as much as the Wi2k8 OS enterprise version.
I don't think I've ever heard of that popup before, because I usually pick user mode, and forget about CALs completely.  I have no formal training in the OS, and have no idea how I fell into this position.  I think we'd better investigate how much money we owe good ol' M$.
You can only have one password policy in the domain and it neads to be on domain level.
If upgrading to Windows Server 2008 AD, you can use fine-grained password policies to specify different password policies depending on group membership.

Another thing is that you have placed groups in OU with GPOs. GPOs only applies to user or computer objects below the linking point independent of where groups are located. The only way groups affect GPOs is by using security filtering to allow/deny the permission to apply group policy.
I see.  How can I make a smooth upgrade to 2008 work on an existing domain, without actually adding new hardware?
You will have to do what is known as in "in place upgrade"
Here is a good blog  entry on the process
http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2008/04/08/upgrading-your-active-directory-to-windows-server-2008.aspx
One thing to remember; I'm guessing you are running 2003 - 32 bit   When Windows 2008 R2 is released (in beta now) that will only be available for x64
I've decided against any upgrade to 2008 because the 2008 domains can't have windows xp clients in them.
Seeing as how some things were off topic of the original question, I couldn't see awarding points for them.  Sorry, but thanks still for the info.
Thanks,
...also 2008 domains can have XP clients
So I can join an XP Pro SP2/SP3 to a 2008 functional level domain in a 2008 functional level forest?
Yes,  if you could not Microsoft would have a major problem on their hands as most companies are very happy with XP right now and are not upgrading in these tough times.
If you have an XP box lying around I'd install Virtual Server or Virtual PC and just setup a simple lab (2008 DC, XP client)
I have VMWare Workstation 6.5 on one of my laptops with a 2008 VM already installed.  no roles or features added yet.  I may have to try this tomorrow.