Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Block Inheritence of Password Policy

Posted on 2009-05-08
5
735 Views
Last Modified: 2012-05-06
We have a new password policy we are now enforcing via group policy in active directory.  But I would like to stop this password policy from hitting a couple OUs.  I have set those OUs to 'block inheritence but I still can not create the accounts in them because of the password complexity.  Is that by design or am I doing something wrong?
0
Comment
Question by:serjosh
5 Comments
 
LVL 1

Expert Comment

by:mabthal
ID: 24338689
This is by design
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24338768
The password policy in 2000/2003 domains is set at domain level, so you can't block it in your child OUs.

0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24338779
The password policy applies at the domain level and you can't block it or have separate password policies
If you want a different policy in a 2000 or 2003 domain you can use 3rd party tools, for example:
http://www.specopssoft.com/products/specopspasswordpolicy/
When you get to a windows 2008 domain functional level you can apply different policies to users and group (known as fine grained passwords)
So tell your boss that you can't change the Microsoft code :)
Thanks
Mike
0
 
LVL 16

Expert Comment

by:cantoris
ID: 24338797
All accounts in an Active Directory domain take their password policy from a Group Policy Object at the domain level, irrespective of what you have configured in policy at the OU level.  Password policy applied elsewhere will only apply to *local* accounts on domain PCs.
The only exception to this is AD in Server 2008 that can use Fine-Grained Password Policies - which are implemented in a different way.
0
 
LVL 18

Expert Comment

by:Americom
ID: 24338959
Unless you create another domain for win2k/2k3, otherwise, one password policy per domain. But having another domain just for password may not be justified financially. So, you may want to leave as is, upgrade to win2k8 or 3rd party tool as Mike suggested.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question