Solved

Enforcing Different Password Policy using Group Policy?

Posted on 2009-04-08
8
930 Views
Last Modified: 2012-05-06
I wanted to validate the following ideas to apply a couple of different password policies.

I know that only the Default Domain Policy can be edited with the Password Policy.  So, I'll make the edit to the password policy on the Default Domain Policy then create OUs and add the computers and users account that I want exempt from the password policy.  And to do this, I would choose to Block Inheritance on the OUs that I want exempt.  

Will this work?  
0
Comment
Question by:e90mdrei
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 11

Expert Comment

by:ecsrd
ID: 24100603
Yes, but you should do it reversed.  Create the OUs and create separate policies for each OU.  Apply the settings you want to each OU and not the default domain policy.
0
 

Author Comment

by:e90mdrei
ID: 24100626
But it was my understanding that password polices (gpo) can only be applied at the domain level, and not OUs
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 24100673
You are right password policies for domain users can only be applied at the domain level.
Password policies that are applied at the OU level will only apply to local users on the machines.  Domain users won't be affected by those.
There are third party tools that can help if you really need separate policies in Windows 2003.  One example of a third party tool is here
http://www.specopssoft.com/products/specopspasswordpolicy/
In a Windows 2008 forest you also have the option to use fine grained password policies
http://technet.microsoft.com/en-us/library/cc770394.aspx
Thanks
Mike
0
 
LVL 11

Expert Comment

by:ecsrd
ID: 24100686
In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  Sorry, I should have asked which forest functional level you are at!
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:e90mdrei
ID: 24100693
Thanks mkline71.  So, without the third-party tool, will what I'm proposing to do work if I wanted to separate out or exempt a user/computer?  

0
 

Assisted Solution

by:Severcorr
Severcorr earned 100 total points
ID: 24100695
Here is a good right up.

http://www.mcseworld.com/forums/archive/index.php?t-8737.html
I would be hesistant in blocking GP inheritance to a bunch of computers because the users don't like the password policy.
Just my two cents though.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24102223
It should not work because the password policy at the domain should apply.  That was some serious testing in that link (I haven't gone through all that)
Thanks
Mike
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 50 total points
ID: 24102539
> In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  

This is not correct. Fine-grained password policies in 2008 are applied to individual users and/or group objects, not at the OU level. To apply an FPGG to an entire OU of users, you will need to create and maintain a "shadow group" containing the user/group objects contained within that OU. (Fairly easily automated via MIIS or another provisioning tool, but not possible using native Windows tools.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now