dmanisit
asked on
AD Password Policy
Hi all,
We currently have default domain policy managing password policy. Problem is we need to increase the policy. We have MANY O.U's that break out locations. How can I deploy a Password Policy and ONLY apply it to certain OU's for the PASSWORD POLICY and it not be over written by Default Domain Policy? I have tried a GPO under a specific OU and Blocking inheritance but it doesnt work for Password Policy?
We currently have default domain policy managing password policy. Problem is we need to increase the policy. We have MANY O.U's that break out locations. How can I deploy a Password Policy and ONLY apply it to certain OU's for the PASSWORD POLICY and it not be over written by Default Domain Policy? I have tried a GPO under a specific OU and Blocking inheritance but it doesnt work for Password Policy?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Which Operating system do you have ?
If you are at 2008 DFL and can use FGPP that Joe mentioned you can make life easier by standing up one Windows 8 box or Windows 2012 box with the RSAT tools installed.
You can use the GUI in AD Administrative Center and that is much easier than the ADSI method in 2008. More on that here
http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx
Thanks
Mike
You can use the GUI in AD Administrative Center and that is much easier than the ADSI method in 2008. More on that here
http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx
Thanks
Mike
ASKER
wea re running Server 2008 R2 however for some reason we are still at a Server 2003 AD level
You probably have some 2003 r2 domain controllers out there. You can't reside function level until all domain controllers are at that leve in this case 2008.
There are thrid party tools that can help in 2003 http://www.specopssoft.com/products/specops-password-policy
In your case I'd check why you haven't raised the DFL/FFL and then do that and go from there.
Thanks
Mike
In your case I'd check why you haven't raised the DFL/FFL and then do that and go from there.
Thanks
Mike
ASKER
Thank you everyone, not the answers i wanted to hear. But I will look into the 3rd party tools
I wonder what answer you would like to have heard?
P.policies don't apply to OUs, neither do PSOs.
The third party tool will all work with groups, just like PSOs. I can recommend http://anixis.com/products/ppe/download.htm which extends windows' capabilities by using a dictionary check, keyboard pattern check and many more. Very customizable, lightweight, easy to learn and use.
P.policies don't apply to OUs, neither do PSOs.
The third party tool will all work with groups, just like PSOs. I can recommend http://anixis.com/products/ppe/download.htm which extends windows' capabilities by using a dictionary check, keyboard pattern check and many more. Very customizable, lightweight, easy to learn and use.
indeed, it is a limitation of 2003 that you can not have multiple password policies.
You need to upgrade to 2008 functional level to enjoy privilege of group level password policies.
You need to upgrade to 2008 functional level to enjoy privilege of group level password policies.
ASKER
Thanks
ASKER