Solved

How to apply password policy using GPO?

Posted on 2010-09-24
8
709 Views
Last Modified: 2012-05-10
I have one Windows 2003 DC. I don't understand how the Password Policy GPO works. there seem to be many places to configure password policy such as Default Domain Policy, Default Domain Controller Policy, User OU policy, AD Site Policy...

it seems to me the passwork policy only honor at Domain level, which is Default Domain Policy. I created an OU policy called AccountingGPO, set higher account security, but doesn't work. by the way, after every changes I made on the domain controller, I ran gpupdate command to refresh all policies.

How to make my OU account password policy work?

and further to this, what will affect if I change Password Policy in a Domain controller policy? domain controller doesn't even have local user account exist!

Thanks,
Jerry
0
Comment
Question by:JerryJay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 100 total points
ID: 33755985
you want to do the domain security policy and apply the policy to the OU, make sure you right-click on the policy and enforce it, then you can du gpupdate on the machine that is part of the OU.

http://technet.microsoft.com/en-us/library/cc781633(WS.10).aspx

it definitely sounds like the policy is not being enforced, go to that policy and right-click it and enforce it, it should work after that.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33755994
In 2003 you can only have one account/password policy per domain and that can only be linked at the domain level. Policies applied at the OU level only apply to local accounts and not domain accounts.

There are 3rd party tools that can help http://www.specopssoft.com/products/specops-password-policy

In a 2008 Domain you can use fine grained passwords to apply different policies to different groups or users.
See a similar question I helped with a few days ago  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26492341.html

Thanks
Mike
0
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 100 total points
ID: 33756046
i just took a look on my server, you should download the group policy managemtn tool, this will allow you to open AD users and computers and right click on the OU and select properties and then the group policy tab> click on open> expand the accounting OU you created and see if you see the policy you created there> right click the policy and select enforced, if you do not see it there simply right-click again and choose create and link a GPO here and create your password policy for that OU. just remember the default domain policy takes presidence over any so you might want to un-enforce it maybe not depends if you are actually using it. this should work but just remember that default domain policy will over-ride anything under it, i could be wrong. follow the above an enforce the new policy for the OU and gpupdate and test it before un-enforcing the deafault domain policy.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33756070
Password/Account policies applied at the OU level will only apply to local accounts.  You can't apply password/account policies to domain accounts on an OU level...has to be linked at the domain level that is why the PW policy is only applying at the domain level....by design in the 2003 domain
 
Thanks
Mike
0
 
LVL 4

Assisted Solution

by:williamvanerp
williamvanerp earned 50 total points
ID: 33756082
You have to run gpupdate /force on the client, not on the DC.  Changing the password policy in the Domain Controller policy does not have any effect, other then applied to users accounts in de Domain Controllers OU.

You sure the accounts are in the OU you set the policy on? You can check the order of applied policies on a client by running a mmc and load the Resultant set of Policy. This will help http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx
0
 

Author Comment

by:JerryJay
ID: 33759886
thanks for all replies.

my understanding based on above replies is that one domain can only have one password/account policy, which is at domain level.

What I don't understand is - "Password/Account policies applied at the OU level will only apply to local accounts" - mkline71. I understand OU is a domain concept, why OU policies can apply to local accounts?

williamvanerp: Yes, I am sure the account are in the OU, I use Group Policy Management Console.

btw, the default domain policy is set to be unenforced, and OU password policy is set to be enfored

Thanks
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 350 total points
ID: 33760698
Why OU policies will only apply to local accounts (on computers in that OU) is because that is how Microsoft developed things 10 years ago when AD was released.

....Microsoft heard the need for different PW policies and that is why with 2008 you can have different policies for users/groups.

Thanks

Mike
0
 

Accepted Solution

by:
JerryJay earned 0 total points
ID: 33763500
thanks Mike, now I understand, you talk about computer objects in that OU, not users. Er... I should have thought of that, the password/account policy belongs to Computer configuration. Thanks Mike.

Please forgive me that 10 years ago, I was an IT "baby", didn't aware of the great purpose:) thank you for your explanation.

Jerry Jie
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question