Solved

Enforcing Different Password Policy using Group Policy?

Posted on 2009-04-08
8
929 Views
Last Modified: 2012-05-06
I wanted to validate the following ideas to apply a couple of different password policies.

I know that only the Default Domain Policy can be edited with the Password Policy.  So, I'll make the edit to the password policy on the Default Domain Policy then create OUs and add the computers and users account that I want exempt from the password policy.  And to do this, I would choose to Block Inheritance on the OUs that I want exempt.  

Will this work?  
0
Comment
Question by:e90mdrei
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 11

Expert Comment

by:ecsrd
ID: 24100603
Yes, but you should do it reversed.  Create the OUs and create separate policies for each OU.  Apply the settings you want to each OU and not the default domain policy.
0
 

Author Comment

by:e90mdrei
ID: 24100626
But it was my understanding that password polices (gpo) can only be applied at the domain level, and not OUs
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 24100673
You are right password policies for domain users can only be applied at the domain level.
Password policies that are applied at the OU level will only apply to local users on the machines.  Domain users won't be affected by those.
There are third party tools that can help if you really need separate policies in Windows 2003.  One example of a third party tool is here
http://www.specopssoft.com/products/specopspasswordpolicy/
In a Windows 2008 forest you also have the option to use fine grained password policies
http://technet.microsoft.com/en-us/library/cc770394.aspx
Thanks
Mike
0
 
LVL 11

Expert Comment

by:ecsrd
ID: 24100686
In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  Sorry, I should have asked which forest functional level you are at!
0
 

Author Comment

by:e90mdrei
ID: 24100693
Thanks mkline71.  So, without the third-party tool, will what I'm proposing to do work if I wanted to separate out or exempt a user/computer?  

0
 

Assisted Solution

by:Severcorr
Severcorr earned 100 total points
ID: 24100695
Here is a good right up.

http://www.mcseworld.com/forums/archive/index.php?t-8737.html
I would be hesistant in blocking GP inheritance to a bunch of computers because the users don't like the password policy.
Just my two cents though.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24102223
It should not work because the password policy at the domain should apply.  That was some serious testing in that link (I haven't gone through all that)
Thanks
Mike
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 50 total points
ID: 24102539
> In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  

This is not correct. Fine-grained password policies in 2008 are applied to individual users and/or group objects, not at the OU level. To apply an FPGG to an entire OU of users, you will need to create and maintain a "shadow group" containing the user/group objects contained within that OU. (Fairly easily automated via MIIS or another provisioning tool, but not possible using native Windows tools.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now