• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 403
  • Last Modified:

Password policy in AD- applying it to users only

Our AD is 2008 R2 level and Forest is 2008 R2 Level.

I know I can apply a password GPO on an OU that contains staff workstations

I also know that I can apply a domain wide password GPO that affects all users.

What I need to do is apply a password policy to an OU that contains users. Is it possible to do?

Applying it to all workstations would be a problem since I have temps and interns and they share computers with the full time staff. Temps/interns are using generic accounts

Applying it domain wide would be an issue since some of those accounts are used for services.
0
iamuser
Asked:
iamuser
  • 2
2 Solutions
 
Mike KlineCommented:
Do you can't do that, I notice a topic area is 2008.  Is your functional level at 2008 or higher.  If so you can use fine grained password policies

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

With FGPP you still can't link a new GPO for users to an OU but you can assign a different password policy to users/groups.

There are also third party tools like specops and others than can help but FGPP works well.

Thanks

Mike
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
As Mike has already stated you cannot link a GPO to an OU to apply password policies. If you do this it will only apply to the local machine if computers are in that OU. FGPP is the only other method to accomplish this using a single Forest/Domain.

Once you have created your FGPP you can view it using powershell. Use the below syntax to accomplish this...

Get-ADFineGrainedPasswordPolicy -Filter * | ft

The command above will populate all of the FGPP you have setup in your environment and will also show what OU's you have applied them to. If you have a lot of different password policies this is a handy way to check where they are applied and getting statistics on them.

Will.
0
 
Mike KlineCommented:
By the way should have mentioned this before but if you use FGPP I'd recommend at least once Windows 8 or 2012 box for managing FGPP....the GUI in AD Admin Center makes it much easier to work with.  More on that

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Note:  You don't have to use the GUI but it just makes it easier.

Thanks

Mike
0
 
McKnifeCommented:
You can carry out several measures to make your life easier:
-PSOs (have already been mentioned)
-You could set passwords for accounts you want excluded from any policy and the set those to never expire. Using ADUC as domain admin, password policies don't need to be fulfilled.
-for services, configure service accounts ( http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx that are accounts that will change their passwords automatically) or use the system account. Remember, on domain joined computers, the system account may act over the network as well.

Another comment on the statement "you cannot link a GPO to an OU to apply password policies" - of course you can. The password policy for domain accounts needs to be applied to the domain controllers (as it's a computer policy and The DCs are the only computers where it is effective for domain accounts as the DCs hold the passwords), so we can either link it to the OU "domain controllers" or link it to the domain head (or use some default policy already linked there like the default domain policy or default domain controllers' policy).
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now