usom
asked on
Server 2008 Granular Password Policy Issue
I'm trying to set up a PSO that uses a separate set of password policies for certain users with higher security requirements. I've followed the guide for doing this found here: http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html
My environment contains 2 Windows Server 2003 DCs that share the FSMO roles, and another Windows Server 2008 DC that has the Global Catalog. One of the Server 2003 (the Domain Naming and Schema Master) DCs is also a Global Catalog server.
I have created a PSO with the settings I want and applied it to the Group I want it to effect. I confirmed that the group has the msDS-PSOApplied setting set pointing to my PSO as well as confirmed that the msDS-PSOAppliesTo setting on the PSO itself contains my group. I also added a specific user account to the msDS-PSOAppliesTo setting and it still does not work.
When I log in as a user who is supposed to be getting these settings, I am still allowed to change my password to something with only 4 chars (minimum is 8 on my PSO).
Does anybody have any idea why this might not be working? Thank you.
My environment contains 2 Windows Server 2003 DCs that share the FSMO roles, and another Windows Server 2008 DC that has the Global Catalog. One of the Server 2003 (the Domain Naming and Schema Master) DCs is also a Global Catalog server.
I have created a PSO with the settings I want and applied it to the Group I want it to effect. I confirmed that the group has the msDS-PSOApplied setting set pointing to my PSO as well as confirmed that the msDS-PSOAppliesTo setting on the PSO itself contains my group. I also added a specific user account to the msDS-PSOAppliesTo setting and it still does not work.
When I log in as a user who is supposed to be getting these settings, I am still allowed to change my password to something with only 4 chars (minimum is 8 on my PSO).
Does anybody have any idea why this might not be working? Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not for fine-grained passwords, but you are almost there.
Just a few more DCs to go and you will be at W2K8 DFL...way ahead of many places.
Just a few more DCs to go and you will be at W2K8 DFL...way ahead of many places.
ASKER