How can I apply / enforce password policies at an individual OU level?

Hi, I am at a point where I can finally apply/enforce password policies in my domain.

I have all DC's running Server 2008 R2 now.  And most of my user's domain PC's are running Windows 7 Enterprise (Pro) in my environment.  However, I do still have some Windows XP Pro domain PC's and several Server 2003 member servers.  

I am needing to enforce password policies (i.e. password complexity, lockouts, max expiry password, etc.) with individual OU's.

I heard this is possible now with Server 2008 (Group Policy Preferences), but not sure how to go about it.

Also, will I have issues enforcing these individual OU password policies with Windows XP Pro domain PC's, if they are up-to-date (i.e. SP3, etc.)?

Any help is greatly appreciated.

Thanks in advance.
rsnellmanIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shabarinath RamadasanInfrastructure ArchitectCommented:
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain functional level must be Windows Server 2008.

Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group.

A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.

Source -

Good luck

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KlineCommented:
Another good link here

Sean gives some links to third party tools that make it easier to configure, another good free one is from specops

We don't get the GUI natively for FGPP until Windows 8



Brian PiercePhotographerCommented:
No - you can't you can only have one password policy as such per domain.
In server 2008 however you have the ability to implement fine-grained password policies which can be applied to users/groups (but not OUs), see
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

rsnellmanIT ManagerAuthor Commented:
Can the groups be distro groups or do they need to be security groups?

Also, what kind of issues should I expect if I promote / elevate my forest level to 2008 from 2003 while I still have Server 2003 member servers?

Mike KlineCommented:
No issues that I know of for member servers.  You of course won't be able to add 2003 DCs.  

Only works with security groups

You can link a PSO to other types of groups in addition to global security groups. However, when the RSOP is determined for a user or group, only PSOs that are linked to global security groups or user objects are considered. PSOs that are linked to distribution groups or other types of security groups are ignored.


rsnellmanIT ManagerAuthor Commented:
Nice blog about FGPP.  You mentioned that Domain Functional Level needs to be at least 2008, but what about the Forest Functional Level does it need to be at least 2008 too?

Thanks again.
rsnellmanIT ManagerAuthor Commented:
Also, Mike, your blog links mention was around the limitations of FGPP before Server 2008 via ADSIEdit.  So, this FGPP was available before 2008 showed up?  Or am I reading that wrong?
Mike KlineCommented:
For FGPP just domain functional level, think you were reading that wrong,  became available with Windows 2008.


Mike KlineCommented:
Quick follow up, nice page that outlines features you get in the various domain and forest functional levels, I have this one bookmarked/saved


Brian PiercePhotographerCommented:
Following up your comments FGPP cannot be applied to distribution groups (neither can anything else)
Domain Function Level MUST be 2008
Forest Function Level can be 2003 or 2008
FGPP are not available prior to 2008  (there were some third party bolt-ons which could provide similar functionality)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.