Solved

AD Password Policy

Posted on 2014-03-06
12
87 Views
Last Modified: 2014-12-11
Hi all,
We currently have default domain policy managing password policy. Problem is we need to increase the policy. We have MANY O.U's that break out locations. How can I deploy a Password Policy and ONLY apply it to certain OU's for the PASSWORD POLICY and it not be over written by Default Domain Policy? I have tried a GPO under a specific OU and Blocking inheritance but it doesnt work for Password Policy?
0
Comment
Question by:dmanisit
  • 4
  • 2
  • 2
  • +3
12 Comments
 

Author Comment

by:dmanisit
ID: 39910653
The reason for only applying to certain OU's is to take BABY steps on the policy to eliminate help desk calls
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 39910671
Password policy can not really be set individually by ou using the standard GPO methods. This is a holdover from the 2003 world. That being said if you are on 2008 domain function level you could take a look at implementing PSO instead.

There is a little bit more work than the standard domain password policy so make sure to read through and understand the steps.

http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39910681
Which Operating system do you have ?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910750
If you are at 2008 DFL and can use FGPP that Joe mentioned you can make life easier by standing up one Windows 8 box or Windows 2012 box with the RSAT tools installed.

You can use the GUI in AD Administrative Center and that is much easier than the ADSI method in 2008.  More on that here

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910754
wea re running Server 2008 R2 however for some reason we are still at a Server 2003 AD level
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39910762
You probably have some 2003 r2 domain controllers out there. You can't reside function level until all domain controllers are at that leve in this case 2008.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910765
There are thrid party tools that can help in 2003  http://www.specopssoft.com/products/specops-password-policy

In your case I'd check why you haven't raised the DFL/FFL and then do that and go from there.

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910780
Thank you everyone, not the answers i wanted to hear. But I will look into the 3rd party tools
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39911944
I wonder what answer you would like to have heard?
P.policies don't apply to OUs, neither do PSOs.

The third party tool will all work with groups, just like PSOs. I can recommend http://anixis.com/products/ppe/download.htm which extends windows' capabilities by using a dictionary check, keyboard pattern check and many more. Very customizable, lightweight, easy to learn and use.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39912323
indeed, it is a limitation of 2003 that you can not have multiple password policies.
You need to upgrade to 2008 functional level to enjoy privilege of group level password policies.
0
 

Author Closing Comment

by:dmanisit
ID: 40494141
Thanks
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now