Solved

Password policy in AD- applying it to users only

Posted on 2014-01-24
4
386 Views
Last Modified: 2014-01-25
Our AD is 2008 R2 level and Forest is 2008 R2 Level.

I know I can apply a password GPO on an OU that contains staff workstations

I also know that I can apply a domain wide password GPO that affects all users.

What I need to do is apply a password policy to an OU that contains users. Is it possible to do?

Applying it to all workstations would be a problem since I have temps and interns and they share computers with the full time staff. Temps/interns are using generic accounts

Applying it domain wide would be an issue since some of those accounts are used for services.
0
Comment
Question by:iamuser
  • 2
4 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 39806740
Do you can't do that, I notice a topic area is 2008.  Is your functional level at 2008 or higher.  If so you can use fine grained password policies

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

With FGPP you still can't link a new GPO for users to an OU but you can assign a different password policy to users/groups.

There are also third party tools like specops and others than can help but FGPP works well.

Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 250 total points
ID: 39806792
As Mike has already stated you cannot link a GPO to an OU to apply password policies. If you do this it will only apply to the local machine if computers are in that OU. FGPP is the only other method to accomplish this using a single Forest/Domain.

Once you have created your FGPP you can view it using powershell. Use the below syntax to accomplish this...

Get-ADFineGrainedPasswordPolicy -Filter * | ft

The command above will populate all of the FGPP you have setup in your environment and will also show what OU's you have applied them to. If you have a lot of different password policies this is a handy way to check where they are applied and getting statistics on them.

Will.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39806806
By the way should have mentioned this before but if you use FGPP I'd recommend at least once Windows 8 or 2012 box for managing FGPP....the GUI in AD Admin Center makes it much easier to work with.  More on that

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Note:  You don't have to use the GUI but it just makes it easier.

Thanks

Mike
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39808835
You can carry out several measures to make your life easier:
-PSOs (have already been mentioned)
-You could set passwords for accounts you want excluded from any policy and the set those to never expire. Using ADUC as domain admin, password policies don't need to be fulfilled.
-for services, configure service accounts ( http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx that are accounts that will change their passwords automatically) or use the system account. Remember, on domain joined computers, the system account may act over the network as well.

Another comment on the statement "you cannot link a GPO to an OU to apply password policies" - of course you can. The password policy for domain accounts needs to be applied to the domain controllers (as it's a computer policy and The DCs are the only computers where it is effective for domain accounts as the DCs hold the passwords), so we can either link it to the OU "domain controllers" or link it to the domain head (or use some default policy already linked there like the default domain policy or default domain controllers' policy).
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve DNS query failed errors for Exchange
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question