New Password GPO Question

BrianVan
BrianVan used Ask the Experts™
on
All,

  I can't believe I am spacing on this but I need to ask.  I am creating a new GPO for a password policy for my windows 2008 r2 domain.   The settings are under the Computer Configuration portion of the policy so when I apply it to my domain, do I apply it to the xxxx.com\mybusiness\Users OU or the xxxx.com\mybusiness\Computers OU?  Also, will it automatically force those who are not compliant to change their passwords or do I need to manually set their accounts to change it? Many thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
Password policies are a special case.  They have to be linked at the domain level.  You can also use the default domain policy for it.  I

I see you have 2008.  On a domain functional 2008 domain you can also use fine grained password policies (FGPP) if you want different policies for a different set of users/groups.

What settings are you setting?  

Thanks

Mike

Author

Commented:
Just the basics.  They don't currently have a policy.  Oh, if an account has 'password never expires' marked, they won't have to change it correct?  Many thanks
Brian PiercePhotographer
Awarded 2007
Top Expert 2008
Commented:
If you want different password policies for different sets of users you can use granular (sometimes called fine-grained)  password policies. http://kpytko.pl/2012/11/09/fine-grained-password-policy-in-windows-server-20082008r2/

By default a domain has a basic password policy attached to the domain. If users have the password does not expire option set then that prevails over the setting in the policy.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial