?
Solved

Password Policy - Default Domain Policy

Posted on 2014-03-24
7
Medium Priority
?
1,510 Views
Last Modified: 2014-03-26
Our Default Domain Policy has the following configured for Account Policies/Password Policy:

Enforce Password History = 0 passwords remembered
Maximum password age = 0 days

I would like to set password history to = 10 and maximum password age to = 183.

I don't want to configure this on the Default Domain Policy Object but rather I created a separate GPO and applied to the OUs that need to have this policy enforce.  However, since the Default Domain Policy is higher in the hierarchy the GPO I created doesn't get applied.

How can I get around this?  One thought I had was to set the Enforce password history and Maximum password age to not configured on the default domain policy and enable them on the GPO I created.

I was hesitant to make this change so I thought I'd ask here first before making the change.

Is the any danger in setting "Enforce password history" & "Maximum password age" to not configured on the Default Domain policy?
0
Comment
Question by:tnims
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 668 total points
ID: 39951068
You won't be able to, password policy behaves differently, password policies are set at the domain level.  The policy linked at an OU will only affect local machine accounts.

I notice you have 2008 listed.  If your domain functional level is 2008 or higher you can used fine grained password policies (FGPP)  

http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

FGPP can be applied to different users/groups (still not to an OU).  You can find more on FGPP by searching on that term.

Thanks

Mike
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 1332 total points
ID: 39951095
You must need to set required options in domain level policy, its by design

No matter how many policies you create at OU level, only domain level password policies will apply
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39951166
You don't have to link it at the domain head (please try it, if you don't believe it), but you need to use a policy that is targeted at the OU where the DCs are in.
If you need different policies for different people, you need to deploy PSOs. Those require the domain and forest functional level to be server 2008 or higher.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 37

Expert Comment

by:Mahesh
ID: 39951184
Hi McKnife,

Sorry, unable to understand your comment, not sure where OU containing DCs came in picture here

If you could please explain....
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39951204
I am saying that it is a misconception to think the password policy has to be linked to the domain head. That's simply not true. It needs to be applied to the DCs, that's all, so we can use the default domain policy, the default domain controllers policy or any policy we like as long as it is linked to the OU where the DCs are in and is not overridden.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 1332 total points
ID: 39951259
What you are saying is true up to windows 2000
In Windows 2000, password policies are read-only at the domain level. The policy must be applied to the domain controllers for the policy to be applied. If you initiate a password change for a domain password from anywhere in the domain, the change actually occurs on a domain controller.
http://support.microsoft.com/kb/269236

With windows 2003 and above this behaviour is changed
The policy settings under Account Policies are implemented at the domain level. A Windows Server 2003 domain must have a single password policy, account lockout policy, and Kerberos version 5 authentication protocol policy for the domain. Configuring these policy settings at any other level in Active Directory will only affect local accounts on member servers. If there are groups that require separate password policies, they should be segmented into another domain or forest, based on any additional requirements.

For domain accounts, there can be only one account policy per domain. The account policy must be defined in the Default Domain Policy or in a new policy that is linked to the root of the domain and given precedence over the Default Domain Policy, which is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from a Group Policy object (GPO)linked to the domain, which by default is the Default Domain Policy GPO. This behavior occurs even if there is a different account policy applied to the organizational unit (OU) that contains the domain controller.

http://technet.microsoft.com/en-us/library/cc757692(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc875814.aspx

Mahesh
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39951397
You are right, Mahesh, I remembered incorrectly. Sorry for creating confusion!
What might have been the source for my fault is that there is also the local policy at the DC (the one configurable via secpol.msc) which is in effect if you decide not to configure anything at the domain level in order not to influence local accounts at the clients, but only domain accounts.
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses
Course of the Month10 days, 23 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question