Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to apply password policy using GPO?

Posted on 2010-09-24
8
Medium Priority
?
717 Views
Last Modified: 2012-05-10
I have one Windows 2003 DC. I don't understand how the Password Policy GPO works. there seem to be many places to configure password policy such as Default Domain Policy, Default Domain Controller Policy, User OU policy, AD Site Policy...

it seems to me the passwork policy only honor at Domain level, which is Default Domain Policy. I created an OU policy called AccountingGPO, set higher account security, but doesn't work. by the way, after every changes I made on the domain controller, I ran gpupdate command to refresh all policies.

How to make my OU account password policy work?

and further to this, what will affect if I change Password Policy in a Domain controller policy? domain controller doesn't even have local user account exist!

Thanks,
Jerry
0
Comment
Question by:JerryJay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 400 total points
ID: 33755985
you want to do the domain security policy and apply the policy to the OU, make sure you right-click on the policy and enforce it, then you can du gpupdate on the machine that is part of the OU.

http://technet.microsoft.com/en-us/library/cc781633(WS.10).aspx

it definitely sounds like the policy is not being enforced, go to that policy and right-click it and enforce it, it should work after that.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33755994
In 2003 you can only have one account/password policy per domain and that can only be linked at the domain level. Policies applied at the OU level only apply to local accounts and not domain accounts.

There are 3rd party tools that can help http://www.specopssoft.com/products/specops-password-policy

In a 2008 Domain you can use fine grained passwords to apply different policies to different groups or users.
See a similar question I helped with a few days ago  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26492341.html

Thanks
Mike
0
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 400 total points
ID: 33756046
i just took a look on my server, you should download the group policy managemtn tool, this will allow you to open AD users and computers and right click on the OU and select properties and then the group policy tab> click on open> expand the accounting OU you created and see if you see the policy you created there> right click the policy and select enforced, if you do not see it there simply right-click again and choose create and link a GPO here and create your password policy for that OU. just remember the default domain policy takes presidence over any so you might want to un-enforce it maybe not depends if you are actually using it. this should work but just remember that default domain policy will over-ride anything under it, i could be wrong. follow the above an enforce the new policy for the OU and gpupdate and test it before un-enforcing the deafault domain policy.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 33756070
Password/Account policies applied at the OU level will only apply to local accounts.  You can't apply password/account policies to domain accounts on an OU level...has to be linked at the domain level that is why the PW policy is only applying at the domain level....by design in the 2003 domain
 
Thanks
Mike
0
 
LVL 4

Assisted Solution

by:williamvanerp
williamvanerp earned 200 total points
ID: 33756082
You have to run gpupdate /force on the client, not on the DC.  Changing the password policy in the Domain Controller policy does not have any effect, other then applied to users accounts in de Domain Controllers OU.

You sure the accounts are in the OU you set the policy on? You can check the order of applied policies on a client by running a mmc and load the Resultant set of Policy. This will help http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx
0
 

Author Comment

by:JerryJay
ID: 33759886
thanks for all replies.

my understanding based on above replies is that one domain can only have one password/account policy, which is at domain level.

What I don't understand is - "Password/Account policies applied at the OU level will only apply to local accounts" - mkline71. I understand OU is a domain concept, why OU policies can apply to local accounts?

williamvanerp: Yes, I am sure the account are in the OU, I use Group Policy Management Console.

btw, the default domain policy is set to be unenforced, and OU password policy is set to be enfored

Thanks
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1400 total points
ID: 33760698
Why OU policies will only apply to local accounts (on computers in that OU) is because that is how Microsoft developed things 10 years ago when AD was released.

....Microsoft heard the need for different PW policies and that is why with 2008 you can have different policies for users/groups.

Thanks

Mike
0
 

Accepted Solution

by:
JerryJay earned 0 total points
ID: 33763500
thanks Mike, now I understand, you talk about computer objects in that OU, not users. Er... I should have thought of that, the password/account policy belongs to Computer configuration. Thanks Mike.

Please forgive me that 10 years ago, I was an IT "baby", didn't aware of the great purpose:) thank you for your explanation.

Jerry Jie
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question