Override Default Domain Password Policy

Foxglovevol used Ask the Experts™
I have a Win 2008 Domain and have a Group Policy assigned to the root of the domain which sets our default Password Policy for the domain (Length, Age, etc.).  This is of course done via the Computer Configuration settings of the GP, not the user settings.  I need to override this for a specific user and apply a seperate policy for this specific user or group.  

I have created a new OU further down the tree and set it to Block Inheritance using GPMC.MSC.  I then created a new GP and linked it to the OU.  I placed the user in the OU and then replicated using Sites/Serivices and also waited for an hour but I am unable to change the password on the account receiving a message telling me  conform to the default password policy.  

I have also used GPMC to assign a DENY permission for the Default Password Policy, but this also didn't work.

Finally I took a specific computer account and moved it into the OU I created with the Block Inheritance setting, then logged into that computer with the user account and tried to change the user's password by using CTRL-ALT-DEL....however I receive the same error telling me to conforms to the default user password policy.  

I beleive that my issue is the fact that the Default Password Policy is applied at the computer configuration level, and not the user level.  However, I don't see a way around this except perhaps to apply the default password policy at a lower level than root and put the new OU above it so that the policy wouldn't apply.  However, that has some implications to the design of our OUs and GPs that I don't feel are acceptable since I do want this policy to apply to EVERYONE, except the user/group I choose.  If I move the Default Policy down and somehow a User/Computer is inadvertantly put above it they won't get the appropriate policy.  

Any thoughts on how to overcome this obstacle?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have you considered implementing a fine grained password policy object? It overwrites the domain policy to which the security group or user(s) is applied.


I am unfamiliar with them but will look into it now.
It works great. I'm sure this is what you are looking for.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial