Correctly Applying Password Expiry GPO in Exchange 2003

We need some clarification on the correct way to apply a Password policy against users in Active directory in Exchange 2003.

we are in a situation where we have an existing policy expiring password at 90days etc applied at...

           <sustrans OU>
                     <computers OU> *Here*

This seems to be designed to effect all AD users so their password expires at 90 days, and some complexity settings.

Why do you apply a password policy against computers, rather than users?

We have a scenario where by we need to apply a test GPO where passwords expire everyday, weve applied this test GPO to an OU where the original GPO is not inherited and placed a test pc within.


Which policy expires my user password? In theory the test laptop has is going to tell me that password is expired tomorrow, but my desktop which is in the <computers OU> doesn't think the password will expire until it reaches the age limit of 90 days.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
The policy that is linked at the domain level is what applies to user accounts.   A policy linked at the OU level only applies to local accounts on that computer.

In  2008 Domain functional level and higher Microsoft introduced fine grained passwords to help deal with this issues (can link PSOs to different users/groups).

In 2003 not much you can do natively to have different policies.  There are some third party tools that can help if you want different policies.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
What Mike has said is correct. The only way you could create another password policy in 2003 AD is if you created a child domain and use this domain as your "test" domain". You can then create policies in this domain and they will not affect the production forest root domain. I would consider this if you have no future plans to move to 2008 or higher.

Hope this helps
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.