AXISHK
asked on
GPO on Window 2003 & 2008
I have two DC Window 2003 and Window 2008.
Password Policy is deployed on the domain level and all the servers are grouped under a OU "servers" created under the domain.
The servers have the other password policy which is difference from the password policy on domain level. I was told that password policy should be deployed on the domain level. Does it mean that I can't create another password policy and bind to the server ou ? How should I handle this situation ?
Tks
Password Policy is deployed on the domain level and all the servers are grouped under a OU "servers" created under the domain.
The servers have the other password policy which is difference from the password policy on domain level. I was told that password policy should be deployed on the domain level. Does it mean that I can't create another password policy and bind to the server ou ? How should I handle this situation ?
Tks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Under Window 2003 functional level, I can't create another password policy at OU level, correct ?
Can I filter out the password policy binded on the domain level ? ie, this GPO will not apply to the server OU ?
Can I filter out the password policy binded on the domain level ? ie, this GPO will not apply to the server OU ?
ASKER
I have blocked the inheritance on 'Domain Controllers' and 'Servers' OU where the server and controllers are located. Will the password policy be blocked on these two OUs ?
Tks
Tks
Password policies ONLY work at the domain level. Pasword policies will not work on an OU.
ASKER
Understood. But we don't want the policy to affect servers OU. Can I simply block the inheritance on this OU ?
Inaddition, if I enable "Password never expires" on some accounts, will it still affect by the Password Policy on the domain level ?
Tks
Password-Policy.png
Inaddition, if I enable "Password never expires" on some accounts, will it still affect by the Password Policy on the domain level ?
Tks
Password-Policy.png
Password never expires negates the domain policy for username password (to include the complexity and duration of the password). So, if you set this for your domain admin account, the domain password policy will be negated for that domain admin account.
ASKER
Last check, can I block password policy by enabling "Password never expires" on a particular OU ?
Tks
Tks
It doesn't block the policy, but it overrides the policy, if that makes sense. The policy still exists for the domain. The user account with "password never expires" ignores the domain password policy. Remember the password policy is set on the computer side for ALL users of the computers in the domain, but "Password Never Expires" negates it for that specific user account.
ASKER
Sorry, to clarify my understanding,
If I block the inheritance on server OU, the password policy linked in Domain level will not take affect on it, correct ?
Tks again.
If I block the inheritance on server OU, the password policy linked in Domain level will not take affect on it, correct ?
Tks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tks
You could try Fine Grained Password Policy.