Solved

AD Password Policy

Posted on 2014-03-06
12
94 Views
Last Modified: 2014-12-11
Hi all,
We currently have default domain policy managing password policy. Problem is we need to increase the policy. We have MANY O.U's that break out locations. How can I deploy a Password Policy and ONLY apply it to certain OU's for the PASSWORD POLICY and it not be over written by Default Domain Policy? I have tried a GPO under a specific OU and Blocking inheritance but it doesnt work for Password Policy?
0
Comment
Question by:dmanisit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
12 Comments
 

Author Comment

by:dmanisit
ID: 39910653
The reason for only applying to certain OU's is to take BABY steps on the policy to eliminate help desk calls
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 39910671
Password policy can not really be set individually by ou using the standard GPO methods. This is a holdover from the 2003 world. That being said if you are on 2008 domain function level you could take a look at implementing PSO instead.

There is a little bit more work than the standard domain password policy so make sure to read through and understand the steps.

http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39910681
Which Operating system do you have ?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910750
If you are at 2008 DFL and can use FGPP that Joe mentioned you can make life easier by standing up one Windows 8 box or Windows 2012 box with the RSAT tools installed.

You can use the GUI in AD Administrative Center and that is much easier than the ADSI method in 2008.  More on that here

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910754
wea re running Server 2008 R2 however for some reason we are still at a Server 2003 AD level
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39910762
You probably have some 2003 r2 domain controllers out there. You can't reside function level until all domain controllers are at that leve in this case 2008.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910765
There are thrid party tools that can help in 2003  http://www.specopssoft.com/products/specops-password-policy

In your case I'd check why you haven't raised the DFL/FFL and then do that and go from there.

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910780
Thank you everyone, not the answers i wanted to hear. But I will look into the 3rd party tools
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39911944
I wonder what answer you would like to have heard?
P.policies don't apply to OUs, neither do PSOs.

The third party tool will all work with groups, just like PSOs. I can recommend http://anixis.com/products/ppe/download.htm which extends windows' capabilities by using a dictionary check, keyboard pattern check and many more. Very customizable, lightweight, easy to learn and use.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39912323
indeed, it is a limitation of 2003 that you can not have multiple password policies.
You need to upgrade to 2008 functional level to enjoy privilege of group level password policies.
0
 

Author Closing Comment

by:dmanisit
ID: 40494141
Thanks
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question