Two Password Policies

I have a password policy at my Domain level that is being forced down to the lower OUs.  However, I have two OUs where I need to stop this policy from applying.  I can't block inheritance, because I have other polcies that still need to apply.

Any ideas on the best way to go about this?
LVL 1
januismerAsked:
Who is Participating?
 
Ronin_1Connect With a Mentor Commented:
Take a look at the following this explains how to use fine grained password policies.

http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx

0
 
Darius GhassemCommented:
You can not block password policy you can implement what Ronin suggested which is fine grained password polices.

Good article.

http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx
0
 
januismerAuthor Commented:
Thanks for the responses!

In reading Ronin's suggestion I ran across this on YouTube which sheds some real world light on the subject:

http://www.youtube.com/watch?v=kmShKNZ83e4

Essentially its all the same thing that Ronin and darisq are talking about.  I went through the steps and have the PSO created and applied to my group, BUT...

Here is my dilemma, we're creating these accounts for elementary students (grades K-5).  We don't give them passwords and basically have the passwords set to (blank).  We have to turn off the Domain policy initially to get this to fly when we create the accounts in mass.  Now that school is in session and the majority of accounts have been created, we only need to deal with new students.  When copying/creating a new student from an existing student the adding of the new student fails with this error even though the PSO is in place:

"Windows cannot create the object because:  Unable to update the password. The value provided for the new password does not meeting the length, complexity, or history requirements for the domain."

Any ideas?  I don't want to have to turn the domain policy off/on every time I need to add a new student.

Here are my settings for the PSO:

Password Settings Precedence = 1
Encryption Enabled = FALSE
History Length = 24
Complexity Enabled = FALSE
Password Length = 0
Minimum Password Age = 1:00:00:00
Maximum Password Age = 365:00:00:00
Lockout Threshold = 0
Lockout Observation = (none)
Lockout Duration = (non)
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Darius GhassemCommented:
Now when you are copying the users the min is not being meet. Try creating a new user.
0
 
januismerAuthor Commented:
Just tried it and received the same error.
0
 
Darius GhassemConnect With a Mentor Commented:
You are going to have to meet the password requirements with new users. I'm thinking exisiting so there is not a way around you must meet the requirements at creation
0
 
januismerAuthor Commented:
But then I could have them reset them to blank do you think?
0
 
Darius GhassemCommented:
If you remove the password policy you can then add blank passwords but I suggest you give the user a default password the meets the requirements
0
 
januismerAuthor Commented:
Thanks... Meeting the policy initially, but then changing it thereafter works!

Thanks again!
0
 
januismerAuthor Commented:
Thanks for you help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.