windowsn00b
asked on
OU Level Group Policies
I have domain level group policies set, and one OU level group policy. My goal is this:
Domain level password complexity is disabled for ease on users brains. We have a high security department, and any groups inside it belong in the "HS-Groups" OU There is a password policy in HS-Groups that requires password complexity for Authenticated Users. Will the domain level policy override this, or will the OU level policy take precedence? How can force the policy on the OU to take precedence but only for members of the groups in the OU? (The user accounts are not in the OU, just the groups they belong to) The goal is if a user suddenly gets added to one of the groups in this OU they have stricter screen saver, and password policies.
Domain level password complexity is disabled for ease on users brains. We have a high security department, and any groups inside it belong in the "HS-Groups" OU There is a password policy in HS-Groups that requires password complexity for Authenticated Users. Will the domain level policy override this, or will the OU level policy take precedence? How can force the policy on the OU to take precedence but only for members of the groups in the OU? (The user accounts are not in the OU, just the groups they belong to) The goal is if a user suddenly gets added to one of the groups in this OU they have stricter screen saver, and password policies.
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Americom
In addition, If you apply any password policy to an OU, and the OU has computer objects, it only affect those local users in those computer object.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Ok, well I was testing the Resultant Set of Policy (Planning) on a user account, and for some reason it never sets the domain level password policy anymore. It gives Xs next to the policies regarding that password policy. Any ideas how to fix this?-
ASKER
Now the only policy setting on RSoP is the login scripts policy. The rest of them get a red X and it's starting to worry me. If the GPO isn't working for the domain I might be in big trouble
ASKER
So a password policy in an OU wont override a password policy domain wide/vise versa? That's a dumb feature to leave out
Right, but that is why they added fine-grained passwords in Windows 2008 - they did listen to everyone asking for the features.
Now you will be able to set different policies to users or groups (not to OU's specfically)
Now you will be able to set different policies to users or groups (not to OU's specfically)
ASKER
Well I want it to be set to groups. Doesn't gpmc allow that?
You may have problem with name resolution for those red Xs. You may need to check on your DCs and how those DNS is configured, it should point itself as DNS server in the TCP/IP settings.
Yes, password policy linked to OU does not override a domain password policy. What it will do, again, is only affect the local users of the computers inside of the OU where you appliy additional policy to.
Yes, password policy linked to OU does not override a domain password policy. What it will do, again, is only affect the local users of the computers inside of the OU where you appliy additional policy to.
Not for windows 2003 and older. GPMC is just a friendlier tools to manage GPOS.
ASKER
SO without paying any more money, how can I make specific groups have a different password policy?
ASKER
If it is impossible, then every user has to have a16 character complex password. How can I edit the complexity requirements
You are going to have some angry users; I'd be careful making them have a 16 character password.
The minimum password length can be between 1-14 characters.
ASKER
Yes that's true. There is no KB patch. or free product capable of allowing specific groups to have a tighter password policy then the rest of the domain? The 3 user groups in the HS-Groups OU are the only ones that need a stricter policy
Unfortunately no...until you get to 2008 forest functional level.
ASKER
Hmm anyone know the cost of specop for a domain with two DCs? I don't want to upgrade to 2008 because it will use more resources, which I just don't have at the moment.
Not super cheap according to this (about halfway down)
http://redmondmag.com/revi
I'd contact them and have them give you a quote.
http://redmondmag.com/revi
I'd contact them and have them give you a quote.
ASKER
Yeah, um, are there any other options, because I'd rather buy two new servers for that price, and install the 2008 copy we already possess.
If you have Win2k8 domain, you will need to spend a lot of $ for all your clients as the win2k3 CALs do not apply to Win2k8 CALs. That's the real cost for you not the win2k8 OS and not the hardware, those are nothing compare to the W2k8 CALs, unless your company is very small.
ASKER
For some reason I completely forgot about CALs. Don't they jsut refer to Terminal Services Client? (Which we don't use) or are they for any machine that is joined to the domain?
no, they are two separate one. One is Windows CALs, and the other is specific to TS whcih is more expensive. TS is for remote connections, like users connected to Terminal Servers to run applications. Windows CAL is for user to access a Windows OS remotely, including authenticated to the Domain DC OS.
ASKER
For some reason our copy of 2008 is 2008 Enterprise. Now if I remember correctly CALs don't apply to enterprise copies. I've never had to type/edit/read about a CAL while working with our servers, and we have 3 domain pcs to DCs and 30 something users right now. (Most users are exchange/VPN users)
it does, no different when comes to CALs. Microsoft trust all of us to be honest up until Windows XP and windows 2008 for server license. As far as CALs, only TS you would have to registered and monitor by your TS license server. The Windows CALs is up to you to be honest. You have option during the OS installation for device or user mode, remember? usually we pick user mode and never have to worry about the exceed seesion popup....
30 users, than it's not too expensive, it will be less than $2k for Windows CALs, just as much as the Wi2k8 OS enterprise version.
30 users, than it's not too expensive, it will be less than $2k for Windows CALs, just as much as the Wi2k8 OS enterprise version.
ASKER
I don't think I've ever heard of that popup before, because I usually pick user mode, and forget about CALs completely. I have no formal training in the OS, and have no idea how I fell into this position. I think we'd better investigate how much money we owe good ol' M$.
You can only have one password policy in the domain and it neads to be on domain level.
If upgrading to Windows Server 2008 AD, you can use fine-grained password policies to specify different password policies depending on group membership.
Another thing is that you have placed groups in OU with GPOs. GPOs only applies to user or computer objects below the linking point independent of where groups are located. The only way groups affect GPOs is by using security filtering to allow/deny the permission to apply group policy.
If upgrading to Windows Server 2008 AD, you can use fine-grained password policies to specify different password policies depending on group membership.
Another thing is that you have placed groups in OU with GPOs. GPOs only applies to user or computer objects below the linking point independent of where groups are located. The only way groups affect GPOs is by using security filtering to allow/deny the permission to apply group policy.
ASKER
I see. How can I make a smooth upgrade to 2008 work on an existing domain, without actually adding new hardware?
You will have to do what is known as in "in place upgrade"
Here is a good blog entry on the process
http://blogs.dirteam.com/b
One thing to remember; I'm guessing you are running 2003 - 32 bit When Windows 2008 R2 is released (in beta now) that will only be available for x64
Here is a good blog entry on the process
http://blogs.dirteam.com/b
One thing to remember; I'm guessing you are running 2003 - 32 bit When Windows 2008 R2 is released (in beta now) that will only be available for x64
ASKER
I've decided against any upgrade to 2008 because the 2008 domains can't have windows xp clients in them.
ASKER
Seeing as how some things were off topic of the original question, I couldn't see awarding points for them. Sorry, but thanks still for the info.
Thanks,
...also 2008 domains can have XP clients
...also 2008 domains can have XP clients
ASKER
So I can join an XP Pro SP2/SP3 to a 2008 functional level domain in a 2008 functional level forest?
Yes, if you could not Microsoft would have a major problem on their hands as most companies are very happy with XP right now and are not upgrading in these tough times.
If you have an XP box lying around I'd install Virtual Server or Virtual PC and just setup a simple lab (2008 DC, XP client)
If you have an XP box lying around I'd install Virtual Server or Virtual PC and just setup a simple lab (2008 DC, XP client)
ASKER
I have VMWare Workstation 6.5 on one of my laptops with a 2008 VM already installed. no roles or features added yet. I may have to try this tomorrow.
Windows Server 2003
Windows Server 2003 was based on Windows XP and was released in four editions: Web, Standard, Enterprise and Datacenter. It also had derivative versions for clusters, storage and Microsoft’s Small Business Server. Important upgrades included integrating Internet Information Services (IIS), improvements to Active Directory (AD) and Group Policy (GP), and the migration to Automated System Recovery (ASR).
129K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
