Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 950
  • Last Modified:

Enforcing Different Password Policy using Group Policy?

I wanted to validate the following ideas to apply a couple of different password policies.

I know that only the Default Domain Policy can be edited with the Password Policy.  So, I'll make the edit to the password policy on the Default Domain Policy then create OUs and add the computers and users account that I want exempt from the password policy.  And to do this, I would choose to Block Inheritance on the OUs that I want exempt.  

Will this work?  
0
e90mdrei
Asked:
e90mdrei
  • 2
  • 2
  • 2
  • +2
3 Solutions
 
ecsrdCommented:
Yes, but you should do it reversed.  Create the OUs and create separate policies for each OU.  Apply the settings you want to each OU and not the default domain policy.
0
 
e90mdreiAuthor Commented:
But it was my understanding that password polices (gpo) can only be applied at the domain level, and not OUs
0
 
Mike KlineCommented:
You are right password policies for domain users can only be applied at the domain level.
Password policies that are applied at the OU level will only apply to local users on the machines.  Domain users won't be affected by those.
There are third party tools that can help if you really need separate policies in Windows 2003.  One example of a third party tool is here
http://www.specopssoft.com/products/specopspasswordpolicy/
In a Windows 2008 forest you also have the option to use fine grained password policies
http://technet.microsoft.com/en-us/library/cc770394.aspx
Thanks
Mike
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
ecsrdCommented:
In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  Sorry, I should have asked which forest functional level you are at!
0
 
e90mdreiAuthor Commented:
Thanks mkline71.  So, without the third-party tool, will what I'm proposing to do work if I wanted to separate out or exempt a user/computer?  

0
 
SevercorrCommented:
Here is a good right up.

http://www.mcseworld.com/forums/archive/index.php?t-8737.html
I would be hesistant in blocking GP inheritance to a bunch of computers because the users don't like the password policy.
Just my two cents though.
0
 
Mike KlineCommented:
It should not work because the password policy at the domain should apply.  That was some serious testing in that link (I haven't gone through all that)
Thanks
Mike
0
 
LauraEHunterMVPCommented:
> In a 2003 domain, you are correct, in a 2008 domain you can manage policies at the OU level.  

This is not correct. Fine-grained password policies in 2008 are applied to individual users and/or group objects, not at the OU level. To apply an FPGG to an entire OU of users, you will need to create and maintain a "shadow group" containing the user/group objects contained within that OU. (Fairly easily automated via MIIS or another provisioning tool, but not possible using native Windows tools.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now