Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Password policy in AD- applying it to users only

Posted on 2014-01-24
4
390 Views
Last Modified: 2014-01-25
Our AD is 2008 R2 level and Forest is 2008 R2 Level.

I know I can apply a password GPO on an OU that contains staff workstations

I also know that I can apply a domain wide password GPO that affects all users.

What I need to do is apply a password policy to an OU that contains users. Is it possible to do?

Applying it to all workstations would be a problem since I have temps and interns and they share computers with the full time staff. Temps/interns are using generic accounts

Applying it domain wide would be an issue since some of those accounts are used for services.
0
Comment
Question by:iamuser
  • 2
4 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 39806740
Do you can't do that, I notice a topic area is 2008.  Is your functional level at 2008 or higher.  If so you can use fine grained password policies

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

With FGPP you still can't link a new GPO for users to an OU but you can assign a different password policy to users/groups.

There are also third party tools like specops and others than can help but FGPP works well.

Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 250 total points
ID: 39806792
As Mike has already stated you cannot link a GPO to an OU to apply password policies. If you do this it will only apply to the local machine if computers are in that OU. FGPP is the only other method to accomplish this using a single Forest/Domain.

Once you have created your FGPP you can view it using powershell. Use the below syntax to accomplish this...

Get-ADFineGrainedPasswordPolicy -Filter * | ft

The command above will populate all of the FGPP you have setup in your environment and will also show what OU's you have applied them to. If you have a lot of different password policies this is a handy way to check where they are applied and getting statistics on them.

Will.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39806806
By the way should have mentioned this before but if you use FGPP I'd recommend at least once Windows 8 or 2012 box for managing FGPP....the GUI in AD Admin Center makes it much easier to work with.  More on that

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Note:  You don't have to use the GUI but it just makes it easier.

Thanks

Mike
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39808835
You can carry out several measures to make your life easier:
-PSOs (have already been mentioned)
-You could set passwords for accounts you want excluded from any policy and the set those to never expire. Using ADUC as domain admin, password policies don't need to be fulfilled.
-for services, configure service accounts ( http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx that are accounts that will change their passwords automatically) or use the system account. Remember, on domain joined computers, the system account may act over the network as well.

Another comment on the statement "you cannot link a GPO to an OU to apply password policies" - of course you can. The password policy for domain accounts needs to be applied to the domain controllers (as it's a computer policy and The DCs are the only computers where it is effective for domain accounts as the DCs hold the passwords), so we can either link it to the OU "domain controllers" or link it to the domain head (or use some default policy already linked there like the default domain policy or default domain controllers' policy).
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question