Solved

Password Policy - Default Domain Policy

Posted on 2014-03-24
7
1,489 Views
Last Modified: 2014-03-26
Our Default Domain Policy has the following configured for Account Policies/Password Policy:

Enforce Password History = 0 passwords remembered
Maximum password age = 0 days

I would like to set password history to = 10 and maximum password age to = 183.

I don't want to configure this on the Default Domain Policy Object but rather I created a separate GPO and applied to the OUs that need to have this policy enforce.  However, since the Default Domain Policy is higher in the hierarchy the GPO I created doesn't get applied.

How can I get around this?  One thought I had was to set the Enforce password history and Maximum password age to not configured on the default domain policy and enable them on the GPO I created.

I was hesitant to make this change so I thought I'd ask here first before making the change.

Is the any danger in setting "Enforce password history" & "Maximum password age" to not configured on the Default Domain policy?
0
Comment
Question by:tnims
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 167 total points
ID: 39951068
You won't be able to, password policy behaves differently, password policies are set at the domain level.  The policy linked at an OU will only affect local machine accounts.

I notice you have 2008 listed.  If your domain functional level is 2008 or higher you can used fine grained password policies (FGPP)  

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

FGPP can be applied to different users/groups (still not to an OU).  You can find more on FGPP by searching on that term.

Thanks

Mike
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 333 total points
ID: 39951095
You must need to set required options in domain level policy, its by design

No matter how many policies you create at OU level, only domain level password policies will apply
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951166
You don't have to link it at the domain head (please try it, if you don't believe it), but you need to use a policy that is targeted at the OU where the DCs are in.
If you need different policies for different people, you need to deploy PSOs. Those require the domain and forest functional level to be server 2008 or higher.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 37

Expert Comment

by:Mahesh
ID: 39951184
Hi McKnife,

Sorry, unable to understand your comment, not sure where OU containing DCs came in picture here

If you could please explain....
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951204
I am saying that it is a misconception to think the password policy has to be linked to the domain head. That's simply not true. It needs to be applied to the DCs, that's all, so we can use the default domain policy, the default domain controllers policy or any policy we like as long as it is linked to the OU where the DCs are in and is not overridden.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 333 total points
ID: 39951259
What you are saying is true up to windows 2000
In Windows 2000, password policies are read-only at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.
http://support.microsoft.com/kb/269236

With windows 2003 and above this behaviour is changed
The policy settings under Account Policies are implemented at the domain level. A Windows Server 2003 domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers. If there are groups that require separate password policies, they should be segmented into another domain or forest, based on any additional requirements.

For domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

http://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc875814.aspx

Mahesh
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39951397
You are right, Mahesh, I remembered incorrectly. Sorry for creating confusion!
What might have been the source for my fault is that there is also the local policy at the DC (the one configurable via secpol.msc) which is in effect if you decide not to configure anything at the domain level in order not to influence local accounts at the clients, but only domain accounts.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question