Solved

windwos 2008 R2 Password policy question

Posted on 2014-07-25
13
196 Views
Last Modified: 2014-10-07
Here's my question, what happens in the following?

1.) Default domain password policy is undefined

2.) create a new password policy at a computer OU. And password policy is defined with length of 8 chars required

3.) move 6 workstations into this OU.

When the password refreshes what happens? Will people creating passwords in 6 machines in the OU be required to use 8 character passwords?

WIll the domain password policy override the OU password policy?

From what I understand of precedence, the OU policy should be processed last and therefore override the settings at the domain level.
0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
  • +2
13 Comments
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 167 total points
ID: 40220476
The password policy attached to the OU would have no effect. While precedence would normally play a part, password policies are unique in this regard. The only way to have a password policy other than the default domain policy is to attach it to a user object directly, and even that is only supported on newer domains. Check out "fine grained password policies" on TechNet for more details.
0
 

Author Comment

by:iamuser
ID: 40220492
I am currently using fine grain password policy but then reading about precedence and I didn't remember if the OU policy would take effect or not
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 166 total points
ID: 40220530
The only password policy that has any effect is the default domain policy. All others (except FGPP) have no effect.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 55

Expert Comment

by:McKnife
ID: 40221436
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40225706
on a side note, I believe when you apply a password policy to an ou if affects the workstations local password criteria.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40225722
Nope.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40225723
Oh yes it does.
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40225748
Workstation passwords are already highly complex and are changed relatively often. Linking a policy to an OU doesn't change how AD handles workstation passwords.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40225762
This is not what I meant (and compdigit repeated). The local password policy doesn't influence the workstation pw, how could it, the workstation is a domain member. We are talking about local accounts.
0
 

Author Comment

by:iamuser
ID: 40231652
my issue is this,

Default domain password policy - undefined

OU password policy - is defined

Local password policy - default

Now what happens to the servers and workstations in the domain when GPO is processed? What is the password policy of the servers & workstations?
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40231697
Once more :)
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
 

Author Comment

by:iamuser
ID: 40231743
I already have the Fine Grain Password Policy in place because i wanted to have 2 different password policy. I was wondering if there was an option to do this using regular group policy.

Since 'undefined' meant nothing was changed (neither disable or enable) then perhaps the OU password policy would be allowed to take effect. But I guess what you're saying is that Windows will only apply one password policy and by default it will always be the password policy in the default GPO
0
 
LVL 55

Accepted Solution

by:
McKnife earned 167 total points
ID: 40232532
Using regular group policy this is not possible for domain accounts, only for local accounts (you could have as many local password policies as you have PCs).
For domain accounts, only the DDP counts, together with eventually applied PSOs.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question