Password Group policy by AD Group

CMCITD used Ask the Experts™
We are going to implement password complexities on our domain and would like to deploy this out slowly by AD Groups.  With Server2008R2 can I create the policy and link this to my end user OU and slowly add the AD Groups that I want the policy to apply to until eventually having the whole domain on the same password policy?  I have read that the only way to accomplish this is to go through configuring the Granular Password Settings using ASDI Edit which I am not totally familiar with.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Blogger and wearer of all hats.
Look at using SPECOPs Password Policy Basic GUI

It gives you a GUI to the ASDI Edits.
Top Expert 2013

You want to search for fine grained passwords  with FGPP you still can't like a different password setting object (think of it as a policy) to an OU but you can link it to groups and users.

step by step here


Here's an example PSO

Common Name: My Domain Admins PSO
msDES-PasswordSettingsPrecedence: 1
msDS-PasswordReversibleEncryptionEnabled: False
msDS-PasswordHistoryLength: 30
msDS-PasswordComplexityEnabled: True
msDS-MinimumPasswordLength: 15
msDS-MinimumPasswordAge: 1:00:00:00
MaximumPasswordAge: 45:00:00:00
msDS-LockThreshold: 5
msDS-LockoutObservationWindow: 0:01:00:00
msDS-LockoutDuration: 1:00:00:00

I don't like typing in a Distinguished name at "More Attributes". Instead click on the new object you created and browse for your user or security group through AppliesTo.

I hope this helps.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial