Account policy for domain users

I need to set account policies for domain users.  The policy needs to include password complexity, length, age, history settings.  I need to control WHO I apply these policies too.  We have several domain user accounts that are used for services on each of the workstations.  I cannot force password changes every 60 days on these special accounts without "breaking" certain programs.  I do not want to apply this policy to the administrator account either.  I only want to apply these policies to "regular staff" users and computers.

If I apply the new password policy to the domain GPO, I believe it will affect ALL the accounts including the administrator account and special service accounts.  I believe I need to create a new OU called STAFF-OU.  Do I place domain user accounts in that folder or domain computer accounts in that folder?    

The domain has two SERVER 2003 DCs and 4 SERVER 2008R2 DCs.

What's the best way to accomplish this?

Thanks for your assistance!
Who is Participating?
Azhrei1Connect With a Mentor Commented:
You could also filter the policy based on group membership, where the group would consist of your normal users, but that's a little overkill here I guess?
Azhrei1Connect With a Mentor Commented:
put the user accounts in there, then apply the policy to that OU :)
QuietFrankConnect With a Mentor Commented:
You are on the right path.

Create an OU for workstations, one for servers, one for standard users, and one for service accounts. I usually leave the Administrator account in the default OU (Users).

With it separated like this, you'll have the greatest flexibility in applying GPOs. It also allows you to create OUs in the OUs and have GPOs from both to apply to the user/machine.


Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

As I remember in the windows 2003 the password is an except to the regular GPO apply which  allow to create an OU then putting some specific users and computers and apply specific GPO.

So I don't recommend you doing it and try the other solution like GPO filter or security permissions.

i hope this will work for you ...
dbldiamondAuthor Commented:
Thanks everyone.  I created a group called "STAFF", made all my users members and then filtered the GPO.  Decided to take this route as AD is fairly small.  Thanks again.  You're all right so I'm splitting the points between you.
thanks and good luck :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.