Solved

How to apply password policy using GPO?

Posted on 2010-09-24
8
699 Views
Last Modified: 2012-05-10
I have one Windows 2003 DC. I don't understand how the Password Policy GPO works. there seem to be many places to configure password policy such as Default Domain Policy, Default Domain Controller Policy, User OU policy, AD Site Policy...

it seems to me the passwork policy only honor at Domain level, which is Default Domain Policy. I created an OU policy called AccountingGPO, set higher account security, but doesn't work. by the way, after every changes I made on the domain controller, I ran gpupdate command to refresh all policies.

How to make my OU account password policy work?

and further to this, what will affect if I change Password Policy in a Domain controller policy? domain controller doesn't even have local user account exist!

Thanks,
Jerry
0
Comment
Question by:JerryJay
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 100 total points
Comment Utility
you want to do the domain security policy and apply the policy to the OU, make sure you right-click on the policy and enforce it, then you can du gpupdate on the machine that is part of the OU.

http://technet.microsoft.com/en-us/library/cc781633(WS.10).aspx

it definitely sounds like the policy is not being enforced, go to that policy and right-click it and enforce it, it should work after that.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
In 2003 you can only have one account/password policy per domain and that can only be linked at the domain level. Policies applied at the OU level only apply to local accounts and not domain accounts.

There are 3rd party tools that can help http://www.specopssoft.com/products/specops-password-policy

In a 2008 Domain you can use fine grained passwords to apply different policies to different groups or users.
See a similar question I helped with a few days ago  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26492341.html

Thanks
Mike
0
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 100 total points
Comment Utility
i just took a look on my server, you should download the group policy managemtn tool, this will allow you to open AD users and computers and right click on the OU and select properties and then the group policy tab> click on open> expand the accounting OU you created and see if you see the policy you created there> right click the policy and select enforced, if you do not see it there simply right-click again and choose create and link a GPO here and create your password policy for that OU. just remember the default domain policy takes presidence over any so you might want to un-enforce it maybe not depends if you are actually using it. this should work but just remember that default domain policy will over-ride anything under it, i could be wrong. follow the above an enforce the new policy for the OU and gpupdate and test it before un-enforcing the deafault domain policy.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Password/Account policies applied at the OU level will only apply to local accounts.  You can't apply password/account policies to domain accounts on an OU level...has to be linked at the domain level that is why the PW policy is only applying at the domain level....by design in the 2003 domain
 
Thanks
Mike
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 4

Assisted Solution

by:williamvanerp
williamvanerp earned 50 total points
Comment Utility
You have to run gpupdate /force on the client, not on the DC.  Changing the password policy in the Domain Controller policy does not have any effect, other then applied to users accounts in de Domain Controllers OU.

You sure the accounts are in the OU you set the policy on? You can check the order of applied policies on a client by running a mmc and load the Resultant set of Policy. This will help http://www.microsoft.com/windowsxp/using/setup/expert/rsop.mspx
0
 

Author Comment

by:JerryJay
Comment Utility
thanks for all replies.

my understanding based on above replies is that one domain can only have one password/account policy, which is at domain level.

What I don't understand is - "Password/Account policies applied at the OU level will only apply to local accounts" - mkline71. I understand OU is a domain concept, why OU policies can apply to local accounts?

williamvanerp: Yes, I am sure the account are in the OU, I use Group Policy Management Console.

btw, the default domain policy is set to be unenforced, and OU password policy is set to be enfored

Thanks
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 350 total points
Comment Utility
Why OU policies will only apply to local accounts (on computers in that OU) is because that is how Microsoft developed things 10 years ago when AD was released.

....Microsoft heard the need for different PW policies and that is why with 2008 you can have different policies for users/groups.

Thanks

Mike
0
 

Accepted Solution

by:
JerryJay earned 0 total points
Comment Utility
thanks Mike, now I understand, you talk about computer objects in that OU, not users. Er... I should have thought of that, the password/account policy belongs to Computer configuration. Thanks Mike.

Please forgive me that 10 years ago, I was an IT "baby", didn't aware of the great purpose:) thank you for your explanation.

Jerry Jie
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now