Deploy password policy to sub OU's in Active Directory

I have a windows 2003 DC and I created a GPO with a new password policy that I applied to one of my top-level OU's. User's in our sub OU's do not appear to be affected by the policy and I am wondering if there is a way to avoid having to go to each OU and link the policy to them. Is there a way to force the OU's to inherit the policy?
J CAsked:
Who is Participating?
 
Mike KlineCommented:
In 2003 you can't have multiple password policies (only one per domain linked at the domain level) So your policy is not working by design.

There are third party tools that can help  http://www.specopssoft.com/products/specops-password-policy

Starting in 2008 Microsoft introduced fine grained password policies which let you define different passwords for different groups/users.

Thanks

Mike
0
 
jmanishbabuCommented:
Password policy can only be set at the domain level in windows 2003. Do not apply this policy to the OU . Check applying this Password policy to the Default Domain Policy .. This will inherit for all users under the Domain and OU's
0
 
J CAuthor Commented:
We have top-level OU's and users that we do not want affected...There is no way to exclude them from the password policy?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Mike KlineCommented:
Not in a native 2003 domain no....Microsoft heard the call but FGPP was not introduced until 2008.
0
 
J CAuthor Commented:
Got it, thanks.
0
 
gurdeep1302Commented:
Hello,

You need to have domain functionality level 2008 to have multiple password policies.Its a new feature introduced in 2008 server editions i.e, FGPP (Fine Grained Password Policy)
Kindly go through the following description :-

Fine-Grained Passwords

By default in windows 2003 all the user account in the domain should use the same password policy configured in domain level, that’s why we called domain is a security boundary, if you require a different password policy then you have to create new domain

In windows 2008 password policy can be configured for specific group of peoples within the domain
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.