[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

AD Password Policy

Posted on 2014-03-06
12
Medium Priority
?
108 Views
Last Modified: 2014-12-11
Hi all,
We currently have default domain policy managing password policy. Problem is we need to increase the policy. We have MANY O.U's that break out locations. How can I deploy a Password Policy and ONLY apply it to certain OU's for the PASSWORD POLICY and it not be over written by Default Domain Policy? I have tried a GPO under a specific OU and Blocking inheritance but it doesnt work for Password Policy?
0
Comment
Question by:dmanisit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
12 Comments
 

Author Comment

by:dmanisit
ID: 39910653
The reason for only applying to certain OU's is to take BABY steps on the policy to eliminate help desk calls
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 1500 total points
ID: 39910671
Password policy can not really be set individually by ou using the standard GPO methods. This is a holdover from the 2003 world. That being said if you are on 2008 domain function level you could take a look at implementing PSO instead.

There is a little bit more work than the standard domain password policy so make sure to read through and understand the steps.

http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39910681
Which Operating system do you have ?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910750
If you are at 2008 DFL and can use FGPP that Joe mentioned you can make life easier by standing up one Windows 8 box or Windows 2012 box with the RSAT tools installed.

You can use the GUI in AD Administrative Center and that is much easier than the ADSI method in 2008.  More on that here

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910754
wea re running Server 2008 R2 however for some reason we are still at a Server 2003 AD level
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39910762
You probably have some 2003 r2 domain controllers out there. You can't reside function level until all domain controllers are at that leve in this case 2008.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910765
There are thrid party tools that can help in 2003  http://www.specopssoft.com/products/specops-password-policy

In your case I'd check why you haven't raised the DFL/FFL and then do that and go from there.

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910780
Thank you everyone, not the answers i wanted to hear. But I will look into the 3rd party tools
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39911944
I wonder what answer you would like to have heard?
P.policies don't apply to OUs, neither do PSOs.

The third party tool will all work with groups, just like PSOs. I can recommend http://anixis.com/products/ppe/download.htm which extends windows' capabilities by using a dictionary check, keyboard pattern check and many more. Very customizable, lightweight, easy to learn and use.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39912323
indeed, it is a limitation of 2003 that you can not have multiple password policies.
You need to upgrade to 2008 functional level to enjoy privilege of group level password policies.
0
 

Author Closing Comment

by:dmanisit
ID: 40494141
Thanks
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question