domain password policies

Is it possible to have more than 1 default domain policy for password policies? If so if you've got 800 domain accounts - how can you determine which users are subject to which domain password policy?
LVL 4
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NumbidCommented:
On AD2003 : Password policies are under Computer Configuration : it applies to computers objects.

You can create a new GPO and either define it the domain-level or at any OU that has the member computers in it. So you can easily disable it if conflict occurs.

But you may have to assign it a higher priority than the built-in Default domain policy GPO: If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence (from MS).

However if you're on AD 2008 functionnal level, you can fine grain password policies and apply them to users.

U can use ADSIedit, powershell or ldifde ; Microsft delivers a walkthrough here : http://technet.microsoft.com/library/cc770842.aspx
0
pma111Author Commented:
So if you wanted 2 password policies you'd need to create 2 OU's with each user group in each and then apply that policy at OU level, if you wanted 2 different policies.
0
NumbidCommented:
On 2008, after you created your PSO, you target users or global security groups that you want to apply this PSO to by their Distinguished Name (DN)

Configure msDS-PsoAppliesTo attribute under Domain\System\Password Settings Container in Active Directory Users and Computers (ensure that Advanced Features is checked)
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Will SzymkowskiSenior Solution ArchitectCommented:
Just to add if you are using AD 2003 Forest/Domain functional level you cannot simply link a GPO to the root of the domain and apply a password policy. This is only done from the "default domain policy" in the Domain. If you apply the password policy to specific OU's when you are using AD 2003 FFL/DFL you will only affect local accounts on the machines that are affected but this policy. This will not affect domain password policy as you can only have one.

As for 2008 as stated you need at least a 2008 Forest functional level to accomplish this using PSO.

Will.
0
McKnifeCommented:
The classic situation pre windows server 2008 was one policy for all. You could set it with the default domain policy (DDP), so it would hit domain users and local user accounts as well. You could also go and configure it in the default domain controller's policy (DDCP) - that way it would have affected only the domain controllers and the accounts stored there - BUT what accounts are stored at the DCs? Well, ALL domain user accounts. So compared to using the DDP the difference is that this would keep the local accounts' passwords from being restricted.

With the 2008 and later PSO's we can finally add different policies for different users or user groups without looking at the OU structure at all.
There are tools that might help you getting started, I liked this one: http://www.parhelia-tools.com/products/ppm/ppm.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.