?
Solved

windwos 2008 R2 Password policy question

Posted on 2014-07-25
13
Medium Priority
?
205 Views
Last Modified: 2014-10-07
Here's my question, what happens in the following?

1.) Default domain password policy is undefined

2.) create a new password policy at a computer OU. And password policy is defined with length of 8 chars required

3.) move 6 workstations into this OU.

When the password refreshes what happens? Will people creating passwords in 6 machines in the OU be required to use 8 character passwords?

WIll the domain password policy override the OU password policy?

From what I understand of precedence, the OU policy should be processed last and therefore override the settings at the domain level.
0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
  • +2
13 Comments
 
LVL 59

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 668 total points
ID: 40220476
The password policy attached to the OU would have no effect. While precedence would normally play a part, password policies are unique in this regard. The only way to have a password policy other than the default domain policy is to attach it to a user object directly, and even that is only supported on newer domains. Check out "fine grained password policies" on TechNet for more details.
0
 

Author Comment

by:iamuser
ID: 40220492
I am currently using fine grain password policy but then reading about precedence and I didn't remember if the OU policy would take effect or not
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 664 total points
ID: 40220530
The only password policy that has any effect is the default domain policy. All others (except FGPP) have no effect.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 56

Expert Comment

by:McKnife
ID: 40221436
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40225706
on a side note, I believe when you apply a password policy to an ou if affects the workstations local password criteria.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40225722
Nope.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40225723
Oh yes it does.
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40225748
Workstation passwords are already highly complex and are changed relatively often. Linking a policy to an OU doesn't change how AD handles workstation passwords.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40225762
This is not what I meant (and compdigit repeated). The local password policy doesn't influence the workstation pw, how could it, the workstation is a domain member. We are talking about local accounts.
0
 

Author Comment

by:iamuser
ID: 40231652
my issue is this,

Default domain password policy - undefined

OU password policy - is defined

Local password policy - default

Now what happens to the servers and workstations in the domain when GPO is processed? What is the password policy of the servers & workstations?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40231697
Once more :)
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
 

Author Comment

by:iamuser
ID: 40231743
I already have the Fine Grain Password Policy in place because i wanted to have 2 different password policy. I was wondering if there was an option to do this using regular group policy.

Since 'undefined' meant nothing was changed (neither disable or enable) then perhaps the OU password policy would be allowed to take effect. But I guess what you're saying is that Windows will only apply one password policy and by default it will always be the password policy in the default GPO
0
 
LVL 56

Accepted Solution

by:
McKnife earned 668 total points
ID: 40232532
Using regular group policy this is not possible for domain accounts, only for local accounts (you could have as many local password policies as you have PCs).
For domain accounts, only the DDP counts, together with eventually applied PSOs.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month10 days, 12 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question