Solved

AD Password Policy

Posted on 2014-03-06
12
85 Views
Last Modified: 2014-12-11
Hi all,
We currently have default domain policy managing password policy. Problem is we need to increase the policy. We have MANY O.U's that break out locations. How can I deploy a Password Policy and ONLY apply it to certain OU's for the PASSWORD POLICY and it not be over written by Default Domain Policy? I have tried a GPO under a specific OU and Blocking inheritance but it doesnt work for Password Policy?
0
Comment
Question by:dmanisit
  • 4
  • 2
  • 2
  • +3
12 Comments
 

Author Comment

by:dmanisit
ID: 39910653
The reason for only applying to certain OU's is to take BABY steps on the policy to eliminate help desk calls
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 39910671
Password policy can not really be set individually by ou using the standard GPO methods. This is a holdover from the 2003 world. That being said if you are on 2008 domain function level you could take a look at implementing PSO instead.

There is a little bit more work than the standard domain password policy so make sure to read through and understand the steps.

http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39910681
Which Operating system do you have ?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910750
If you are at 2008 DFL and can use FGPP that Joe mentioned you can make life easier by standing up one Windows 8 box or Windows 2012 box with the RSAT tools installed.

You can use the GUI in AD Administrative Center and that is much easier than the ADSI method in 2008.  More on that here

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910754
wea re running Server 2008 R2 however for some reason we are still at a Server 2003 AD level
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39910762
You probably have some 2003 r2 domain controllers out there. You can't reside function level until all domain controllers are at that leve in this case 2008.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910765
There are thrid party tools that can help in 2003  http://www.specopssoft.com/products/specops-password-policy

In your case I'd check why you haven't raised the DFL/FFL and then do that and go from there.

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910780
Thank you everyone, not the answers i wanted to hear. But I will look into the 3rd party tools
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39911944
I wonder what answer you would like to have heard?
P.policies don't apply to OUs, neither do PSOs.

The third party tool will all work with groups, just like PSOs. I can recommend http://anixis.com/products/ppe/download.htm which extends windows' capabilities by using a dictionary check, keyboard pattern check and many more. Very customizable, lightweight, easy to learn and use.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39912323
indeed, it is a limitation of 2003 that you can not have multiple password policies.
You need to upgrade to 2008 functional level to enjoy privilege of group level password policies.
0
 

Author Closing Comment

by:dmanisit
ID: 40494141
Thanks
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now