• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 720
  • Last Modified:

How to apply password policy using GPO?

I have one Windows 2003 DC. I don't understand how the Password Policy GPO works. there seem to be many places to configure password policy such as Default Domain Policy, Default Domain Controller Policy, User OU policy, AD Site Policy...

it seems to me the passwork policy only honor at Domain level, which is Default Domain Policy. I created an OU policy called AccountingGPO, set higher account security, but doesn't work. by the way, after every changes I made on the domain controller, I ran gpupdate command to refresh all policies.

How to make my OU account password policy work?

and further to this, what will affect if I change Password Policy in a Domain controller policy? domain controller doesn't even have local user account exist!

Thanks,
Jerry
0
JerryJay
Asked:
JerryJay
  • 3
  • 2
  • 2
  • +1
5 Solutions
 
GridLock137Commented:
you want to do the domain security policy and apply the policy to the OU, make sure you right-click on the policy and enforce it, then you can du gpupdate on the machine that is part of the OU.

http://technet.microsoft.com/en-us/library/cc781633(WS.10).aspx

it definitely sounds like the policy is not being enforced, go to that policy and right-click it and enforce it, it should work after that.
0
 
Mike KlineCommented:
In 2003 you can only have one account/password policy per domain and that can only be linked at the domain level. Policies applied at the OU level only apply to local accounts and not domain accounts.

There are 3rd party tools that can help http://www.specopssoft.com/products/specops-password-policy

In a 2008 Domain you can use fine grained passwords to apply different policies to different groups or users.
See a similar question I helped with a few days ago  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26492341.html

Thanks
Mike
0
 
GridLock137Commented:
i just took a look on my server, you should download the group policy managemtn tool, this will allow you to open AD users and computers and right click on the OU and select properties and then the group policy tab> click on open> expand the accounting OU you created and see if you see the policy you created there> right click the policy and select enforced, if you do not see it there simply right-click again and choose create and link a GPO here and create your password policy for that OU. just remember the default domain policy takes presidence over any so you might want to un-enforce it maybe not depends if you are actually using it. this should work but just remember that default domain policy will over-ride anything under it, i could be wrong. follow the above an enforce the new policy for the OU and gpupdate and test it before un-enforcing the deafault domain policy.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
Mike KlineCommented:
Password/Account policies applied at the OU level will only apply to local accounts.  You can't apply password/account policies to domain accounts on an OU level...has to be linked at the domain level that is why the PW policy is only applying at the domain level....by design in the 2003 domain
 
Thanks
Mike
0
 
williamvanerpCommented:
You have to run gpupdate /force on the client, not on the DC.  Changing the password policy in the Domain Controller policy does not have any effect, other then applied to users accounts in de Domain Controllers OU.

You sure the accounts are in the OU you set the policy on? You can check the order of applied policies on a client by running a mmc and load the Resultant set of Policy. This will help http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx
0
 
JerryJayAuthor Commented:
thanks for all replies.

my understanding based on above replies is that one domain can only have one password/account policy, which is at domain level.

What I don't understand is - "Password/Account policies applied at the OU level will only apply to local accounts" - mkline71. I understand OU is a domain concept, why OU policies can apply to local accounts?

williamvanerp: Yes, I am sure the account are in the OU, I use Group Policy Management Console.

btw, the default domain policy is set to be unenforced, and OU password policy is set to be enfored

Thanks
0
 
Mike KlineCommented:
Why OU policies will only apply to local accounts (on computers in that OU) is because that is how Microsoft developed things 10 years ago when AD was released.

....Microsoft heard the need for different PW policies and that is why with 2008 you can have different policies for users/groups.

Thanks

Mike
0
 
JerryJayAuthor Commented:
thanks Mike, now I understand, you talk about computer objects in that OU, not users. Er... I should have thought of that, the password/account policy belongs to Computer configuration. Thanks Mike.

Please forgive me that 10 years ago, I was an IT "baby", didn't aware of the great purpose:) thank you for your explanation.

Jerry Jie
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now