How to enforce a Password Policy in Windows Server 2008 by OU or Groups
Hello,
I have an existing AD Structure with GPOs at the root domain. I am enforcing a new Password Policy on Friday and I'd like to know the best way to launch to my users. All users except admins and specific universal user accounts will not need this GPO applied to them.
Group Policy Management is setup by Domain, Location OUs with Department OUs underneath. The specific Universal accounts that I do not want this new GPO to be apply to are listed in almost each location OU and then under department OU, so I'm not sure what the best way to deny these user accounts the new GPO. These users are not in a single Group their user account is located within the OU.
Thanks,
nimdatx
I have an existing AD Structure with GPOs at the root domain. I am enforcing a new Password Policy on Friday and I'd like to know the best way to launch to my users. All users except admins and specific universal user accounts will not need this GPO applied to them.
Group Policy Management is setup by Domain, Location OUs with Department OUs underneath. The specific Universal accounts that I do not want this new GPO to be apply to are listed in almost each location OU and then under department OU, so I'm not sure what the best way to deny these user accounts the new GPO. These users are not in a single Group their user account is located within the OU.
Thanks,
nimdatx
You won't be able to deny a group or users from the password policy in the GPO (should be linked to the domain)
In a 2008 domain and higher (2008 domain functional level) you can use fine grained passwords to have different policies for specific users or groups. You can't link a PSO to an OU though. More on Fine grained passwords here
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
You can search around and fine a lot of other good articles.
Thanks
Mike
In a 2008 domain and higher (2008 domain functional level) you can use fine grained passwords to have different policies for specific users or groups. You can't link a PSO to an OU though. More on Fine grained passwords here
http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
You can search around and fine a lot of other good articles.
Thanks
Mike
Why not just create a GPO for this password setting and apply this to all authenticated users under the scope security at your Domain level.
Under the delegation click on the Advanced button and deny read right to your special groups.
This is another way to control the reading of the GPO. If you deny reading to a certain group or scope it for only a certain group to read then all others do not have the ability to read the setting.
Mike "yo-bee" B
Under the delegation click on the Advanced button and deny read right to your special groups.
This is another way to control the reading of the GPO. If you deny reading to a certain group or scope it for only a certain group to read then all others do not have the ability to read the setting.
Mike "yo-bee" B
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Let me see if I understood this correctly. You want two divide users. One user group that are going to have to change password, and one group who should need to change password.
If this is indeed the case, you should first create a parent group, which has all the common policies and scripts that the both undergroups should have. Now once the parent group is setup, you create two new undergroups. One group called Enforced and one called Special.
Now you go in and alter the GPO on enforced, and set so they to change their password on next login. Whilst on Special, you do not.
Once that is done, you just apply the users to the group you want them. This should work.
If your AD have too many users, use a script and apply the enforced rule to everyone, and then manually change for those who should not :)