?
Solved

How to enforce a Password Policy in Windows Server 2008 by OU or Groups

Posted on 2012-04-05
4
Medium Priority
?
659 Views
Last Modified: 2012-05-02
Hello,

I have an existing AD Structure with GPOs at the root domain. I am enforcing a new Password Policy on Friday and I'd like to know the best way to launch to my users. All users except admins and specific universal user accounts will not need this GPO applied to them.

Group Policy Management is setup by Domain, Location OUs with Department OUs underneath. The specific Universal accounts that I do not want this new GPO to be apply to are listed in almost each location OU and then under department OU, so I'm not sure what the best way to deny these user accounts the new GPO. These users are not in a single Group their user account is located within the OU.

Thanks,

nimdatx
0
Comment
Question by:nimdatx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 3

Expert Comment

by:fjocke
ID: 37812814
Well you are doing the right thing, creating a group which has specific policies.
Let me see if I understood this correctly. You want two divide users. One user group that are going to have to change password, and one group who should need to change password.

If this is indeed the case, you should first create a parent group, which has all the common policies and scripts that the both undergroups should have. Now once the parent group is setup, you create two new undergroups. One group called Enforced and one called Special.

Now you go in and alter the GPO on enforced, and set so they to change their password on next login. Whilst on Special, you do not.

Once that is done, you just apply the users to the group you want them. This should work.
If your AD have too many users, use a script and apply the enforced rule to everyone, and then manually change for those who should not :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 37812825
You won't be able to deny a group or users from the password policy in the GPO (should be linked to the domain)

In a 2008 domain and higher (2008 domain functional level) you can use fine grained passwords to have different policies for specific users or groups.  You can't link a PSO to an OU though.  More on Fine grained passwords here

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

You can search around and fine a lot of other good articles.  

Thanks

Mike
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 37814804
Why not just create a GPO for this password setting and apply this to all authenticated users under the scope security at your Domain level.
Under the delegation click on the Advanced button and deny read right to your special groups.
This is another way to control the reading of the GPO.  If you deny reading to a certain group or scope it for only a certain group to read then all others do not have the ability to read the setting.

Mike "yo-bee" B
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 37814849
yo-bee, that won't work, you can't deny a group like that,  if you were able to it would have solved a ton of issues over the years (wish you could do it that way).  

That works on almost every GPO...password policies are different.

http://technet.microsoft.com/en-us/library/cc875814.aspx

There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on stand alone computers. Computers that are members of a domain also have a local account database, but most organizations that have deployed Active Directory domains require their users to log on to their computers and the network by using domain-based accounts. Consequently if you specify a minimum password length of 14 characters for a domain, all users in the domain must use passwords of 14 or more characters when they create new passwords. To establish different requirements for a specific set of users, you must create a new domain for their accounts.

...and that is why we got FGPP in 2008

....and coming in Windows 8 a GUI for FGPP   http://adisfun.blogspot.com/2011/09/windows-server-8-fine-grained-password.html


Thanks

Mike
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses
Course of the Month9 days, 17 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question