Solved

How to apply password policy using GPO?

Posted on 2010-09-24
8
704 Views
Last Modified: 2012-05-10
I have one Windows 2003 DC. I don't understand how the Password Policy GPO works. there seem to be many places to configure password policy such as Default Domain Policy, Default Domain Controller Policy, User OU policy, AD Site Policy...

it seems to me the passwork policy only honor at Domain level, which is Default Domain Policy. I created an OU policy called AccountingGPO, set higher account security, but doesn't work. by the way, after every changes I made on the domain controller, I ran gpupdate command to refresh all policies.

How to make my OU account password policy work?

and further to this, what will affect if I change Password Policy in a Domain controller policy? domain controller doesn't even have local user account exist!

Thanks,
Jerry
0
Comment
Question by:JerryJay
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 100 total points
ID: 33755985
you want to do the domain security policy and apply the policy to the OU, make sure you right-click on the policy and enforce it, then you can du gpupdate on the machine that is part of the OU.

http://technet.microsoft.com/en-us/library/cc781633(WS.10).aspx

it definitely sounds like the policy is not being enforced, go to that policy and right-click it and enforce it, it should work after that.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33755994
In 2003 you can only have one account/password policy per domain and that can only be linked at the domain level. Policies applied at the OU level only apply to local accounts and not domain accounts.

There are 3rd party tools that can help http://www.specopssoft.com/products/specops-password-policy

In a 2008 Domain you can use fine grained passwords to apply different policies to different groups or users.
See a similar question I helped with a few days ago  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26492341.html

Thanks
Mike
0
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 100 total points
ID: 33756046
i just took a look on my server, you should download the group policy managemtn tool, this will allow you to open AD users and computers and right click on the OU and select properties and then the group policy tab> click on open> expand the accounting OU you created and see if you see the policy you created there> right click the policy and select enforced, if you do not see it there simply right-click again and choose create and link a GPO here and create your password policy for that OU. just remember the default domain policy takes presidence over any so you might want to un-enforce it maybe not depends if you are actually using it. this should work but just remember that default domain policy will over-ride anything under it, i could be wrong. follow the above an enforce the new policy for the OU and gpupdate and test it before un-enforcing the deafault domain policy.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33756070
Password/Account policies applied at the OU level will only apply to local accounts.  You can't apply password/account policies to domain accounts on an OU level...has to be linked at the domain level that is why the PW policy is only applying at the domain level....by design in the 2003 domain
 
Thanks
Mike
0
 
LVL 4

Assisted Solution

by:williamvanerp
williamvanerp earned 50 total points
ID: 33756082
You have to run gpupdate /force on the client, not on the DC.  Changing the password policy in the Domain Controller policy does not have any effect, other then applied to users accounts in de Domain Controllers OU.

You sure the accounts are in the OU you set the policy on? You can check the order of applied policies on a client by running a mmc and load the Resultant set of Policy. This will help http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx
0
 

Author Comment

by:JerryJay
ID: 33759886
thanks for all replies.

my understanding based on above replies is that one domain can only have one password/account policy, which is at domain level.

What I don't understand is - "Password/Account policies applied at the OU level will only apply to local accounts" - mkline71. I understand OU is a domain concept, why OU policies can apply to local accounts?

williamvanerp: Yes, I am sure the account are in the OU, I use Group Policy Management Console.

btw, the default domain policy is set to be unenforced, and OU password policy is set to be enfored

Thanks
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 350 total points
ID: 33760698
Why OU policies will only apply to local accounts (on computers in that OU) is because that is how Microsoft developed things 10 years ago when AD was released.

....Microsoft heard the need for different PW policies and that is why with 2008 you can have different policies for users/groups.

Thanks

Mike
0
 

Accepted Solution

by:
JerryJay earned 0 total points
ID: 33763500
thanks Mike, now I understand, you talk about computer objects in that OU, not users. Er... I should have thought of that, the password/account policy belongs to Computer configuration. Thanks Mike.

Please forgive me that 10 years ago, I was an IT "baby", didn't aware of the great purpose:) thank you for your explanation.

Jerry Jie
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question