Solved

Password policy in AD- applying it to users only

Posted on 2014-01-24
4
383 Views
Last Modified: 2014-01-25
Our AD is 2008 R2 level and Forest is 2008 R2 Level.

I know I can apply a password GPO on an OU that contains staff workstations

I also know that I can apply a domain wide password GPO that affects all users.

What I need to do is apply a password policy to an OU that contains users. Is it possible to do?

Applying it to all workstations would be a problem since I have temps and interns and they share computers with the full time staff. Temps/interns are using generic accounts

Applying it domain wide would be an issue since some of those accounts are used for services.
0
Comment
Question by:iamuser
  • 2
4 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 39806740
Do you can't do that, I notice a topic area is 2008.  Is your functional level at 2008 or higher.  If so you can use fine grained password policies

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

With FGPP you still can't link a new GPO for users to an OU but you can assign a different password policy to users/groups.

There are also third party tools like specops and others than can help but FGPP works well.

Thanks

Mike
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 250 total points
ID: 39806792
As Mike has already stated you cannot link a GPO to an OU to apply password policies. If you do this it will only apply to the local machine if computers are in that OU. FGPP is the only other method to accomplish this using a single Forest/Domain.

Once you have created your FGPP you can view it using powershell. Use the below syntax to accomplish this...

Get-ADFineGrainedPasswordPolicy -Filter * | ft

The command above will populate all of the FGPP you have setup in your environment and will also show what OU's you have applied them to. If you have a lot of different password policies this is a handy way to check where they are applied and getting statistics on them.

Will.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39806806
By the way should have mentioned this before but if you use FGPP I'd recommend at least once Windows 8 or 2012 box for managing FGPP....the GUI in AD Admin Center makes it much easier to work with.  More on that

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Note:  You don't have to use the GUI but it just makes it easier.

Thanks

Mike
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39808835
You can carry out several measures to make your life easier:
-PSOs (have already been mentioned)
-You could set passwords for accounts you want excluded from any policy and the set those to never expire. Using ADUC as domain admin, password policies don't need to be fulfilled.
-for services, configure service accounts ( http://technet.microsoft.com/en-us/library/dd548356(v=ws.10).aspx that are accounts that will change their passwords automatically) or use the system account. Remember, on domain joined computers, the system account may act over the network as well.

Another comment on the statement "you cannot link a GPO to an OU to apply password policies" - of course you can. The password policy for domain accounts needs to be applied to the domain controllers (as it's a computer policy and The DCs are the only computers where it is effective for domain accounts as the DCs hold the passwords), so we can either link it to the OU "domain controllers" or link it to the domain head (or use some default policy already linked there like the default domain policy or default domain controllers' policy).
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now