Solved

Password Policy - Default Domain Policy

Posted on 2014-03-24
7
1,454 Views
Last Modified: 2014-03-26
Our Default Domain Policy has the following configured for Account Policies/Password Policy:

Enforce Password History = 0 passwords remembered
Maximum password age = 0 days

I would like to set password history to = 10 and maximum password age to = 183.

I don't want to configure this on the Default Domain Policy Object but rather I created a separate GPO and applied to the OUs that need to have this policy enforce.  However, since the Default Domain Policy is higher in the hierarchy the GPO I created doesn't get applied.

How can I get around this?  One thought I had was to set the Enforce password history and Maximum password age to not configured on the default domain policy and enable them on the GPO I created.

I was hesitant to make this change so I thought I'd ask here first before making the change.

Is the any danger in setting "Enforce password history" & "Maximum password age" to not configured on the Default Domain policy?
0
Comment
Question by:tnims
  • 3
  • 3
7 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 167 total points
ID: 39951068
You won't be able to, password policy behaves differently, password policies are set at the domain level.  The policy linked at an OU will only affect local machine accounts.

I notice you have 2008 listed.  If your domain functional level is 2008 or higher you can used fine grained password policies (FGPP)  

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

FGPP can be applied to different users/groups (still not to an OU).  You can find more on FGPP by searching on that term.

Thanks

Mike
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 333 total points
ID: 39951095
You must need to set required options in domain level policy, its by design

No matter how many policies you create at OU level, only domain level password policies will apply
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39951166
You don't have to link it at the domain head (please try it, if you don't believe it), but you need to use a policy that is targeted at the OU where the DCs are in.
If you need different policies for different people, you need to deploy PSOs. Those require the domain and forest functional level to be server 2008 or higher.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39951184
Hi McKnife,

Sorry, unable to understand your comment, not sure where OU containing DCs came in picture here

If you could please explain....
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39951204
I am saying that it is a misconception to think the password policy has to be linked to the domain head. That's simply not true. It needs to be applied to the DCs, that's all, so we can use the default domain policy, the default domain controllers policy or any policy we like as long as it is linked to the OU where the DCs are in and is not overridden.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 333 total points
ID: 39951259
What you are saying is true up to windows 2000
In Windows 2000, password policies are read-only at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.
http://support.microsoft.com/kb/269236

With windows 2003 and above this behaviour is changed
The policy settings under Account Policies are implemented at the domain level. A Windows Server 2003 domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers. If there are groups that require separate password policies, they should be segmented into another domain or forest, based on any additional requirements.

For domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

http://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc875814.aspx

Mahesh
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39951397
You are right, Mahesh, I remembered incorrectly. Sorry for creating confusion!
What might have been the source for my fault is that there is also the local policy at the DC (the one configurable via secpol.msc) which is in effect if you decide not to configure anything at the domain level in order not to influence local accounts at the clients, but only domain accounts.
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now