How can I apply / enforce password policies at an individual OU level?

Hi, I am at a point where I can finally apply/enforce password policies in my domain.

I have all DC's running Server 2008 R2 now.  And most of my user's domain PC's are running Windows 7 Enterprise (Pro) in my environment.  However, I do still have some Windows XP Pro domain PC's and several Server 2003 member servers.  

I am needing to enforce password policies (i.e. password complexity, lockouts, max expiry password, etc.) with individual OU's.

I heard this is possible now with Server 2008 (Group Policy Preferences), but not sure how to go about it.

Also, will I have issues enforcing these individual OU password policies with Windows XP Pro domain PC's, if they are up-to-date (i.e. SP3, etc.)?

Any help is greatly appreciated.

Thanks in advance.
rsnellmanIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shabarinath RamadasanInfrastructure ArchitectCommented:
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain functional level must be Windows Server 2008.

Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group.

A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.


Source - http://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx

Good luck
Shaba
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KlineCommented:
Another good link here   http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx

Sean gives some links to third party tools that make it easier to configure, another good free one is from specops   http://www.specopssoft.com/documentation/specops-password-policy-basic-documentation

We don't get the GUI natively for FGPP until Windows 8 http://adisfun.blogspot.com/2011/09/windows-server-8-fine-grained-password.html

Thanks

Mike

0
Brian PiercePhotographerCommented:
No - you can't you can only have one password policy as such per domain.
In server 2008 however you have the ability to implement fine-grained password policies which can be applied to users/groups (but not OUs), see  http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

rsnellmanIT ManagerAuthor Commented:
Can the groups be distro groups or do they need to be security groups?

Also, what kind of issues should I expect if I promote / elevate my forest level to 2008 from 2003 while I still have Server 2003 member servers?

Thanks.
0
Mike KlineCommented:
No issues that I know of for member servers.  You of course won't be able to add 2003 DCs.  

Only works with security groups

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

You can link a PSO to other types of groups in addition to global security groups. However, when the RSOP is determined for a user or group, only PSOs that are linked to global security groups or user objects are considered. PSOs that are linked to distribution groups or other types of security groups are ignored.

Thanks

Mike
0
rsnellmanIT ManagerAuthor Commented:
Mike,
Nice blog about FGPP.  You mentioned that Domain Functional Level needs to be at least 2008, but what about the Forest Functional Level does it need to be at least 2008 too?

Thanks again.
0
rsnellmanIT ManagerAuthor Commented:
Also, Mike, your blog links mention was around the limitations of FGPP before Server 2008 via ADSIEdit.  So, this FGPP was available before 2008 showed up?  Or am I reading that wrong?
0
Mike KlineCommented:
For FGPP just domain functional level, think you were reading that wrong,  became available with Windows 2008.

Thanks

Mike
0
Mike KlineCommented:
Quick follow up, nice page that outlines features you get in the various domain and forest functional levels, I have this one bookmarked/saved

http://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(WS.10).aspx

Thanks

Mike
0
Brian PiercePhotographerCommented:
Following up your comments FGPP cannot be applied to distribution groups (neither can anything else)
Domain Function Level MUST be 2008
Forest Function Level can be 2003 or 2008
FGPP are not available prior to 2008  (there were some third party bolt-ons which could provide similar functionality)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.