JerryJay
asked on
How to apply password policy using GPO?
I have one Windows 2003 DC. I don't understand how the Password Policy GPO works. there seem to be many places to configure password policy such as Default Domain Policy, Default Domain Controller Policy, User OU policy, AD Site Policy...
it seems to me the passwork policy only honor at Domain level, which is Default Domain Policy. I created an OU policy called AccountingGPO, set higher account security, but doesn't work. by the way, after every changes I made on the domain controller, I ran gpupdate command to refresh all policies.
How to make my OU account password policy work?
and further to this, what will affect if I change Password Policy in a Domain controller policy? domain controller doesn't even have local user account exist!
Thanks,
Jerry
it seems to me the passwork policy only honor at Domain level, which is Default Domain Policy. I created an OU policy called AccountingGPO, set higher account security, but doesn't work. by the way, after every changes I made on the domain controller, I ran gpupdate command to refresh all policies.
How to make my OU account password policy work?
and further to this, what will affect if I change Password Policy in a Domain controller policy? domain controller doesn't even have local user account exist!
Thanks,
Jerry
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Password/Account policies applied at the OU level will only apply to local accounts. You can't apply password/account policies to domain accounts on an OU level...has to be linked at the domain level that is why the PW policy is only applying at the domain level....by design in the 2003 domain
Thanks
Mike
Thanks
Mike
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for all replies.
my understanding based on above replies is that one domain can only have one password/account policy, which is at domain level.
What I don't understand is - "Password/Account policies applied at the OU level will only apply to local accounts" - mkline71. I understand OU is a domain concept, why OU policies can apply to local accounts?
williamvanerp: Yes, I am sure the account are in the OU, I use Group Policy Management Console.
btw, the default domain policy is set to be unenforced, and OU password policy is set to be enfored
Thanks
my understanding based on above replies is that one domain can only have one password/account policy, which is at domain level.
What I don't understand is - "Password/Account policies applied at the OU level will only apply to local accounts" - mkline71. I understand OU is a domain concept, why OU policies can apply to local accounts?
williamvanerp: Yes, I am sure the account are in the OU, I use Group Policy Management Console.
btw, the default domain policy is set to be unenforced, and OU password policy is set to be enfored
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are 3rd party tools that can help http://www.specopssoft.com
In a 2008 Domain you can use fine grained passwords to apply different policies to different groups or users.
See a similar question I helped with a few days ago https://www.experts-exchange.com/questions/26492341/Group-Policy-Account-Policies-Settings-not-enforced.html
Thanks
Mike