Solved

Enforcing Different Password Policy using Group Policy?

Posted on 2009-04-08
8
940 Views
Last Modified: 2012-05-06
I wanted to validate the following ideas to apply a couple of different password policies.

I know that only the Default Domain Policy can be edited with the Password Policy.  So, I'll make the edit to the password policy on the Default Domain Policy then create OUs and add the computers and users account that I want exempt from the password policy.  And to do this, I would choose to Block Inheritance on the OUs that I want exempt.  

Will this work?  
0
Comment
Question by:e90mdrei
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 11

Expert Comment

by:ecsrd
ID: 24100603
Yes, but you should do it reversed.  Create the OUs and create separate policies for each OU.  Apply the settings you want to each OU and not the default domain policy.
0
 

Author Comment

by:e90mdrei
ID: 24100626
But it was my understanding that password polices (gpo) can only be applied at the domain level, and not OUs
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 350 total points
ID: 24100673
You are right password policies for domain users can only be applied at the domain level.
Password policies that are applied at the OU level will only apply to local users on the machines.  Domain users won't be affected by those.
There are third party tools that can help if you really need separate policies in Windows 2003.  One example of a third party tool is here
http://www.specopssoft.com/products/specopspasswordpolicy/
In a Windows 2008 forest you also have the option to use fine grained password policies
http://technet.microsoft.com/en-us/library/cc770394.aspx
Thanks
Mike
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 11

Expert Comment

by:ecsrd
ID: 24100686
In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  Sorry, I should have asked which forest functional level you are at!
0
 

Author Comment

by:e90mdrei
ID: 24100693
Thanks mkline71.  So, without the third-party tool, will what I'm proposing to do work if I wanted to separate out or exempt a user/computer?  

0
 

Assisted Solution

by:Severcorr
Severcorr earned 100 total points
ID: 24100695
Here is a good right up.

http://www.mcseworld.com/forums/archive/index.php?t-8737.html
I would be hesistant in blocking GP inheritance to a bunch of computers because the users don't like the password policy.
Just my two cents though.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24102223
It should not work because the password policy at the domain should apply.  That was some serious testing in that link (I haven't gone through all that)
Thanks
Mike
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 50 total points
ID: 24102539
> In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  

This is not correct. Fine-grained password policies in 2008 are applied to individual users and/or group objects, not at the OU level. To apply an FPGG to an entire OU of users, you will need to create and maintain a "shadow group" containing the user/group objects contained within that OU. (Fairly easily automated via MIIS or another provisioning tool, but not possible using native Windows tools.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question