Solved

Two Password Policies

Posted on 2010-09-20
10
507 Views
Last Modified: 2012-05-10
I have a password policy at my Domain level that is being forced down to the lower OUs.  However, I have two OUs where I need to stop this policy from applying.  I can't block inheritance, because I have other polcies that still need to apply.

Any ideas on the best way to go about this?
0
Comment
Question by:januismer
  • 5
  • 4
10 Comments
 
LVL 7

Accepted Solution

by:
Ronin_1 earned 250 total points
ID: 33715772
Take a look at the following this explains how to use fine grained password policies.

http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33716113
You can not block password policy you can implement what Ronin suggested which is fine grained password polices.

Good article.

http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx
0
 
LVL 1

Author Comment

by:januismer
ID: 33718402
Thanks for the responses!

In reading Ronin's suggestion I ran across this on YouTube which sheds some real world light on the subject:

http://www.youtube.com/watch?v=kmShKNZ83e4

Essentially its all the same thing that Ronin and darisq are talking about.  I went through the steps and have the PSO created and applied to my group, BUT...

Here is my dilemma, we're creating these accounts for elementary students (grades K-5).  We don't give them passwords and basically have the passwords set to (blank).  We have to turn off the Domain policy initially to get this to fly when we create the accounts in mass.  Now that school is in session and the majority of accounts have been created, we only need to deal with new students.  When copying/creating a new student from an existing student the adding of the new student fails with this error even though the PSO is in place:

"Windows cannot create the object because:  Unable to update the password. The value provided for the new password does not meeting the length, complexity, or history requirements for the domain."

Any ideas?  I don't want to have to turn the domain policy off/on every time I need to add a new student.

Here are my settings for the PSO:

Password Settings Precedence = 1
Encryption Enabled = FALSE
History Length = 24
Complexity Enabled = FALSE
Password Length = 0
Minimum Password Age = 1:00:00:00
Maximum Password Age = 365:00:00:00
Lockout Threshold = 0
Lockout Observation = (none)
Lockout Duration = (non)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33718878
Now when you are copying the users the min is not being meet. Try creating a new user.
0
 
LVL 1

Author Comment

by:januismer
ID: 33719051
Just tried it and received the same error.
0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 250 total points
ID: 33719073
You are going to have to meet the password requirements with new users. I'm thinking exisiting so there is not a way around you must meet the requirements at creation
0
 
LVL 1

Author Comment

by:januismer
ID: 33719088
But then I could have them reset them to blank do you think?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33719119
If you remove the password policy you can then add blank passwords but I suggest you give the user a default password the meets the requirements
0
 
LVL 1

Author Comment

by:januismer
ID: 33734895
Thanks... Meeting the policy initially, but then changing it thereafter works!

Thanks again!
0
 
LVL 1

Author Closing Comment

by:januismer
ID: 33780156
Thanks for you help!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question