disable password complex on some users windows 2k3r2  domain

davevinc
davevinc used Ask the Experts™
on
Hallo Boyz,
I need to disable password complexiy (and minimum lghet etc ec ) in a MS 2003r2 Active directory Domain for only some users.
By default , the security template are loaded on to de DC-Computer Locally and apply only on Computer-template .
is it possible there is no way to disabile the PWD-related Policy other then disabile ON ALL USERS in my domain ?
 i want disable  password complexity for some account  the are only account for internal purpose service.
Any idea?
Thanks a lot
Dave
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Unfortunately, no.  This feature is introduced with Server 2008
http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx
LBizzleMicrosoft Enterprise Administrator & AWS cloud Consultant

Commented:
You can do this but you will need to have a new container\OU created for the users you either want it applied too or do not want it applied too. Then either enable the complexity on the new OU or have it on the whole domain and disable Policy inheritance from the new OU and move the users you do not want it to affect in to there.

From what I get on your note above you only want to disable this on some service accounts?.. I would create a container just for service accounts and remove the policy (no inheritance and not enforced) from that container.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2013

Commented:
Another good third party program is specops
http://www.specopssoft.com/web/specops-password-policy.aspx
Previous posters are correct about 2008 and fine grained passwords and the policies.
Thanks
Mike
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
Your only option (not involvoing third-party tools or upgrading to W2k8) is to temporarily disable the password policy, set the passwords for these accounts, check the "Password never expires" flag in the user's AD properties, and then re-enable the normal password policy.
To disable the regular password policy, create a new GPO "DisablePasswordPolicy" or whatever. Explicitly disable/set to the lowest setting the policies you don't want to apply.
At a time when users are unlikely to logon and/or change their password:
- Logon to a DC.
- Link the "DisablePasswordPolicy" policy to the domain root(!), and give it the highest priority of the GPOs linked there.
- Open a command prompt, enter
gpupdate /target:computer /force
- Set the passwords for the special users.
- Disable the link to the "DisablePasswordPolicy" (no need to delete, in case you want to repeat this at some point).
- Open a command prompt, enter
gpupdate /target:computer /force
LBizzleMicrosoft Enterprise Administrator & AWS cloud Consultant

Commented:
I'll test disabling the Default domain GPO to one of my test OU's and get back to you on that; I don't want to be passing on bad info.
Commented:
Even you have domain controller of windows 2008 along with windows 2003,you can't configure different password policy for different user. The functional level has to be windows 2008 means all the dc has to be windows 2008 to apply fine-grained policy.

The fine grained policy is applied at groups not on OU.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial