Solved

AD Password Policy

Posted on 2014-03-06
12
91 Views
Last Modified: 2014-12-11
Hi all,
We currently have default domain policy managing password policy. Problem is we need to increase the policy. We have MANY O.U's that break out locations. How can I deploy a Password Policy and ONLY apply it to certain OU's for the PASSWORD POLICY and it not be over written by Default Domain Policy? I have tried a GPO under a specific OU and Blocking inheritance but it doesnt work for Password Policy?
0
Comment
Question by:dmanisit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
12 Comments
 

Author Comment

by:dmanisit
ID: 39910653
The reason for only applying to certain OU's is to take BABY steps on the policy to eliminate help desk calls
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 39910671
Password policy can not really be set individually by ou using the standard GPO methods. This is a holdover from the 2003 world. That being said if you are on 2008 domain function level you could take a look at implementing PSO instead.

There is a little bit more work than the standard domain password policy so make sure to read through and understand the steps.

http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39910681
Which Operating system do you have ?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910750
If you are at 2008 DFL and can use FGPP that Joe mentioned you can make life easier by standing up one Windows 8 box or Windows 2012 box with the RSAT tools installed.

You can use the GUI in AD Administrative Center and that is much easier than the ADSI method in 2008.  More on that here

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910754
wea re running Server 2008 R2 however for some reason we are still at a Server 2003 AD level
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 39910762
You probably have some 2003 r2 domain controllers out there. You can't reside function level until all domain controllers are at that leve in this case 2008.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39910765
There are thrid party tools that can help in 2003  http://www.specopssoft.com/products/specops-password-policy

In your case I'd check why you haven't raised the DFL/FFL and then do that and go from there.

Thanks

Mike
0
 

Author Comment

by:dmanisit
ID: 39910780
Thank you everyone, not the answers i wanted to hear. But I will look into the 3rd party tools
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39911944
I wonder what answer you would like to have heard?
P.policies don't apply to OUs, neither do PSOs.

The third party tool will all work with groups, just like PSOs. I can recommend http://anixis.com/products/ppe/download.htm which extends windows' capabilities by using a dictionary check, keyboard pattern check and many more. Very customizable, lightweight, easy to learn and use.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39912323
indeed, it is a limitation of 2003 that you can not have multiple password policies.
You need to upgrade to 2008 functional level to enjoy privilege of group level password policies.
0
 

Author Closing Comment

by:dmanisit
ID: 40494141
Thanks
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question