Deploy password policy to sub OU's in Active Directory

I have a windows 2003 DC and I created a GPO with a new password policy that I applied to one of my top-level OU's. User's in our sub OU's do not appear to be affected by the policy and I am wondering if there is a way to avoid having to go to each OU and link the policy to them. Is there a way to force the OU's to inherit the policy?
J CAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
In 2003 you can't have multiple password policies (only one per domain linked at the domain level) So your policy is not working by design.

There are third party tools that can help

Starting in 2008 Microsoft introduced fine grained password policies which let you define different passwords for different groups/users.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Password policy can only be set at the domain level in windows 2003. Do not apply this policy to the OU . Check applying this Password policy to the Default Domain Policy .. This will inherit for all users under the Domain and OU's
J CAuthor Commented:
We have top-level OU's and users that we do not want affected...There is no way to exclude them from the password policy?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Mike KlineCommented:
Not in a native 2003 domain no....Microsoft heard the call but FGPP was not introduced until 2008.
J CAuthor Commented:
Got it, thanks.

You need to have domain functionality level 2008 to have multiple password policies.Its a new feature introduced in 2008 server editions i.e, FGPP (Fine Grained Password Policy)
Kindly go through the following description :-

Fine-Grained Passwords

By default in windows 2003 all the user account in the domain should use the same password policy configured in domain level, that’s why we called domain is a security boundary, if you require a different password policy then you have to create new domain

In windows 2008 password policy can be configured for specific group of peoples within the domain
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.