Account policy for domain users

Posted on 2011-05-11
Last Modified: 2012-05-11
I need to set account policies for domain users.  The policy needs to include password complexity, length, age, history settings.  I need to control WHO I apply these policies too.  We have several domain user accounts that are used for services on each of the workstations.  I cannot force password changes every 60 days on these special accounts without "breaking" certain programs.  I do not want to apply this policy to the administrator account either.  I only want to apply these policies to "regular staff" users and computers.

If I apply the new password policy to the domain GPO, I believe it will affect ALL the accounts including the administrator account and special service accounts.  I believe I need to create a new OU called STAFF-OU.  Do I place domain user accounts in that folder or domain computer accounts in that folder?    

The domain has two SERVER 2003 DCs and 4 SERVER 2008R2 DCs.

What's the best way to accomplish this?

Thanks for your assistance!
Question by:dbldiamond
    LVL 6

    Assisted Solution

    put the user accounts in there, then apply the policy to that OU :)
    LVL 6

    Accepted Solution

    You could also filter the policy based on group membership, where the group would consist of your normal users, but that's a little overkill here I guess?
    LVL 3

    Assisted Solution

    You are on the right path.

    Create an OU for workstations, one for servers, one for standard users, and one for service accounts. I usually leave the Administrator account in the default OU (Users).

    With it separated like this, you'll have the greatest flexibility in applying GPOs. It also allows you to create OUs in the OUs and have GPOs from both to apply to the user/machine.


    LVL 1

    Expert Comment

    As I remember in the windows 2003 the password is an except to the regular GPO apply which  allow to create an OU then putting some specific users and computers and apply specific GPO.

    So I don't recommend you doing it and try the other solution like GPO filter or security permissions.

    i hope this will work for you ...

    Author Comment

    Thanks everyone.  I created a group called "STAFF", made all my users members and then filtered the GPO.  Decided to take this route as AD is fairly small.  Thanks again.  You're all right so I'm splitting the points between you.
    LVL 6

    Expert Comment

    thanks and good luck :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Integrate social media with email signatures

    Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

    I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now