[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Password Policy - Default Domain Policy

Posted on 2014-03-24
Medium Priority
Last Modified: 2014-03-26
Our Default Domain Policy has the following configured for Account Policies/Password Policy:

Enforce Password History = 0 passwords remembered
Maximum password age = 0 days

I would like to set password history to = 10 and maximum password age to = 183.

I don't want to configure this on the Default Domain Policy Object but rather I created a separate GPO and applied to the OUs that need to have this policy enforce.  However, since the Default Domain Policy is higher in the hierarchy the GPO I created doesn't get applied.

How can I get around this?  One thought I had was to set the Enforce password history and Maximum password age to not configured on the default domain policy and enable them on the GPO I created.

I was hesitant to make this change so I thought I'd ask here first before making the change.

Is the any danger in setting "Enforce password history" & "Maximum password age" to not configured on the Default Domain policy?
Question by:tnims
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 57

Accepted Solution

Mike Kline earned 668 total points
ID: 39951068
You won't be able to, password policy behaves differently, password policies are set at the domain level.  The policy linked at an OU will only affect local machine accounts.

I notice you have 2008 listed.  If your domain functional level is 2008 or higher you can used fine grained password policies (FGPP)  


FGPP can be applied to different users/groups (still not to an OU).  You can find more on FGPP by searching on that term.


LVL 38

Assisted Solution

Mahesh earned 1332 total points
ID: 39951095
You must need to set required options in domain level policy, its by design

No matter how many policies you create at OU level, only domain level password policies will apply
LVL 56

Expert Comment

ID: 39951166
You don't have to link it at the domain head (please try it, if you don't believe it), but you need to use a policy that is targeted at the OU where the DCs are in.
If you need different policies for different people, you need to deploy PSOs. Those require the domain and forest functional level to be server 2008 or higher.
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

LVL 38

Expert Comment

ID: 39951184
Hi McKnife,

Sorry, unable to understand your comment, not sure where OU containing DCs came in picture here

If you could please explain....
LVL 56

Expert Comment

ID: 39951204
I am saying that it is a misconception to think the password policy has to be linked to the domain head. That's simply not true. It needs to be applied to the DCs, that's all, so we can use the default domain policy, the default domain controllers policy or any policy we like as long as it is linked to the OU where the DCs are in and is not overridden.
LVL 38

Assisted Solution

Mahesh earned 1332 total points
ID: 39951259
What you are saying is true up to windows 2000
In Windows 2000, password policies are read-only at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.

With windows 2003 and above this behaviour is changed
The policy settings under Account Policies are implemented at the domain level. A Windows Server 2003 domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers. If there are groups that require separate password policies, they should be segmented into another domain or forest, based on any additional requirements.

For domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.


LVL 56

Expert Comment

ID: 39951397
You are right, Mahesh, I remembered incorrectly. Sorry for creating confusion!
What might have been the source for my fault is that there is also the local policy at the DC (the one configurable via secpol.msc) which is in effect if you decide not to configure anything at the domain level in order not to influence local accounts at the clients, but only domain accounts.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question