Solved

Password Policy - Default Domain Policy

Posted on 2014-03-24
7
1,480 Views
Last Modified: 2014-03-26
Our Default Domain Policy has the following configured for Account Policies/Password Policy:

Enforce Password History = 0 passwords remembered
Maximum password age = 0 days

I would like to set password history to = 10 and maximum password age to = 183.

I don't want to configure this on the Default Domain Policy Object but rather I created a separate GPO and applied to the OUs that need to have this policy enforce.  However, since the Default Domain Policy is higher in the hierarchy the GPO I created doesn't get applied.

How can I get around this?  One thought I had was to set the Enforce password history and Maximum password age to not configured on the default domain policy and enable them on the GPO I created.

I was hesitant to make this change so I thought I'd ask here first before making the change.

Is the any danger in setting "Enforce password history" & "Maximum password age" to not configured on the Default Domain policy?
0
Comment
Question by:tnims
  • 3
  • 3
7 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 167 total points
ID: 39951068
You won't be able to, password policy behaves differently, password policies are set at the domain level.  The policy linked at an OU will only affect local machine accounts.

I notice you have 2008 listed.  If your domain functional level is 2008 or higher you can used fine grained password policies (FGPP)  

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

FGPP can be applied to different users/groups (still not to an OU).  You can find more on FGPP by searching on that term.

Thanks

Mike
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 333 total points
ID: 39951095
You must need to set required options in domain level policy, its by design

No matter how many policies you create at OU level, only domain level password policies will apply
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951166
You don't have to link it at the domain head (please try it, if you don't believe it), but you need to use a policy that is targeted at the OU where the DCs are in.
If you need different policies for different people, you need to deploy PSOs. Those require the domain and forest functional level to be server 2008 or higher.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 36

Expert Comment

by:Mahesh
ID: 39951184
Hi McKnife,

Sorry, unable to understand your comment, not sure where OU containing DCs came in picture here

If you could please explain....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951204
I am saying that it is a misconception to think the password policy has to be linked to the domain head. That's simply not true. It needs to be applied to the DCs, that's all, so we can use the default domain policy, the default domain controllers policy or any policy we like as long as it is linked to the OU where the DCs are in and is not overridden.
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 333 total points
ID: 39951259
What you are saying is true up to windows 2000
In Windows 2000, password policies are read-only at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.
http://support.microsoft.com/kb/269236

With windows 2003 and above this behaviour is changed
The policy settings under Account Policies are implemented at the domain level. A Windows Server 2003 domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers. If there are groups that require separate password policies, they should be segmented into another domain or forest, based on any additional requirements.

For domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

http://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc875814.aspx

Mahesh
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951397
You are right, Mahesh, I remembered incorrectly. Sorry for creating confusion!
What might have been the source for my fault is that there is also the local policy at the DC (the one configurable via secpol.msc) which is in effect if you decide not to configure anything at the domain level in order not to influence local accounts at the clients, but only domain accounts.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question