• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

domain password policies

Is it possible to have more than 1 default domain policy for password policies? If so if you've got 800 domain accounts - how can you determine which users are subject to which domain password policy?
4 Solutions
On AD2003 : Password policies are under Computer Configuration : it applies to computers objects.

You can create a new GPO and either define it the domain-level or at any OU that has the member computers in it. So you can easily disable it if conflict occurs.

But you may have to assign it a higher priority than the built-in Default domain policy GPO: If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence (from MS).

However if you're on AD 2008 functionnal level, you can fine grain password policies and apply them to users.

U can use ADSIedit, powershell or ldifde ; Microsft delivers a walkthrough here : http://technet.microsoft.com/library/cc770842.aspx
pma111Author Commented:
So if you wanted 2 password policies you'd need to create 2 OU's with each user group in each and then apply that policy at OU level, if you wanted 2 different policies.
On 2008, after you created your PSO, you target users or global security groups that you want to apply this PSO to by their Distinguished Name (DN)

Configure msDS-PsoAppliesTo attribute under Domain\System\Password Settings Container in Active Directory Users and Computers (ensure that Advanced Features is checked)
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Will SzymkowskiSenior Solution ArchitectCommented:
Just to add if you are using AD 2003 Forest/Domain functional level you cannot simply link a GPO to the root of the domain and apply a password policy. This is only done from the "default domain policy" in the Domain. If you apply the password policy to specific OU's when you are using AD 2003 FFL/DFL you will only affect local accounts on the machines that are affected but this policy. This will not affect domain password policy as you can only have one.

As for 2008 as stated you need at least a 2008 Forest functional level to accomplish this using PSO.

The classic situation pre windows server 2008 was one policy for all. You could set it with the default domain policy (DDP), so it would hit domain users and local user accounts as well. You could also go and configure it in the default domain controller's policy (DDCP) - that way it would have affected only the domain controllers and the accounts stored there - BUT what accounts are stored at the DCs? Well, ALL domain user accounts. So compared to using the DDP the difference is that this would keep the local accounts' passwords from being restricted.

With the 2008 and later PSO's we can finally add different policies for different users or user groups without looking at the OU structure at all.
There are tools that might help you getting started, I liked this one: http://www.parhelia-tools.com/products/ppm/ppm.aspx
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now