?
Solved

Account policy for domain users

Posted on 2011-05-11
6
Medium Priority
?
226 Views
Last Modified: 2012-05-11
I need to set account policies for domain users.  The policy needs to include password complexity, length, age, history settings.  I need to control WHO I apply these policies too.  We have several domain user accounts that are used for services on each of the workstations.  I cannot force password changes every 60 days on these special accounts without "breaking" certain programs.  I do not want to apply this policy to the administrator account either.  I only want to apply these policies to "regular staff" users and computers.

If I apply the new password policy to the domain GPO, I believe it will affect ALL the accounts including the administrator account and special service accounts.  I believe I need to create a new OU called STAFF-OU.  Do I place domain user accounts in that folder or domain computer accounts in that folder?    

The domain has two SERVER 2003 DCs and 4 SERVER 2008R2 DCs.

What's the best way to accomplish this?

Thanks for your assistance!
0
Comment
Question by:dbldiamond
6 Comments
 
LVL 6

Assisted Solution

by:Azhrei1
Azhrei1 earned 1336 total points
ID: 35740861
put the user accounts in there, then apply the policy to that OU :)
0
 
LVL 6

Accepted Solution

by:
Azhrei1 earned 1336 total points
ID: 35740868
You could also filter the policy based on group membership, where the group would consist of your normal users, but that's a little overkill here I guess?
0
 
LVL 3

Assisted Solution

by:QuietFrank
QuietFrank earned 664 total points
ID: 35740877
You are on the right path.

Create an OU for workstations, one for servers, one for standard users, and one for service accounts. I usually leave the Administrator account in the default OU (Users).

With it separated like this, you'll have the greatest flexibility in applying GPOs. It also allows you to create OUs in the OUs and have GPOs from both to apply to the user/machine.

Frank

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 1

Expert Comment

by:Omer_Saeed
ID: 35741170
As I remember in the windows 2003 the password is an except to the regular GPO apply which  allow to create an OU then putting some specific users and computers and apply specific GPO.

So I don't recommend you doing it and try the other solution like GPO filter or security permissions.

i hope this will work for you ...
0
 

Author Comment

by:dbldiamond
ID: 35741197
Thanks everyone.  I created a group called "STAFF", made all my users members and then filtered the GPO.  Decided to take this route as AD is fairly small.  Thanks again.  You're all right so I'm splitting the points between you.
0
 
LVL 6

Expert Comment

by:Azhrei1
ID: 35741281
thanks and good luck :)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question