Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Enforcing Different Password Policy using Group Policy?

Posted on 2009-04-08
8
936 Views
Last Modified: 2012-05-06
I wanted to validate the following ideas to apply a couple of different password policies.

I know that only the Default Domain Policy can be edited with the Password Policy.  So, I'll make the edit to the password policy on the Default Domain Policy then create OUs and add the computers and users account that I want exempt from the password policy.  And to do this, I would choose to Block Inheritance on the OUs that I want exempt.  

Will this work?  
0
Comment
Question by:e90mdrei
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 11

Expert Comment

by:ecsrd
ID: 24100603
Yes, but you should do it reversed.  Create the OUs and create separate policies for each OU.  Apply the settings you want to each OU and not the default domain policy.
0
 

Author Comment

by:e90mdrei
ID: 24100626
But it was my understanding that password polices (gpo) can only be applied at the domain level, and not OUs
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 24100673
You are right password policies for domain users can only be applied at the domain level.
Password policies that are applied at the OU level will only apply to local users on the machines.  Domain users won't be affected by those.
There are third party tools that can help if you really need separate policies in Windows 2003.  One example of a third party tool is here
http://www.specopssoft.com/products/specopspasswordpolicy/
In a Windows 2008 forest you also have the option to use fine grained password policies
http://technet.microsoft.com/en-us/library/cc770394.aspx
Thanks
Mike
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 11

Expert Comment

by:ecsrd
ID: 24100686
In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  Sorry, I should have asked which forest functional level you are at!
0
 

Author Comment

by:e90mdrei
ID: 24100693
Thanks mkline71.  So, without the third-party tool, will what I'm proposing to do work if I wanted to separate out or exempt a user/computer?  

0
 

Assisted Solution

by:Severcorr
Severcorr earned 100 total points
ID: 24100695
Here is a good right up.

http://www.mcseworld.com/forums/archive/index.php?t-8737.html
I would be hesistant in blocking GP inheritance to a bunch of computers because the users don't like the password policy.
Just my two cents though.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24102223
It should not work because the password policy at the domain should apply.  That was some serious testing in that link (I haven't gone through all that)
Thanks
Mike
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 50 total points
ID: 24102539
> In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  

This is not correct. Fine-grained password policies in 2008 are applied to individual users and/or group objects, not at the OU level. To apply an FPGG to an entire OU of users, you will need to create and maintain a "shadow group" containing the user/group objects contained within that OU. (Fairly easily automated via MIIS or another provisioning tool, but not possible using native Windows tools.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question