windwos 2008 R2 Password policy question

Here's my question, what happens in the following?

1.) Default domain password policy is undefined

2.) create a new password policy at a computer OU. And password policy is defined with length of 8 chars required

3.) move 6 workstations into this OU.

When the password refreshes what happens? Will people creating passwords in 6 machines in the OU be required to use 8 character passwords?

WIll the domain password policy override the OU password policy?

From what I understand of precedence, the OU policy should be processed last and therefore override the settings at the domain level.
iamuserAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
The password policy attached to the OU would have no effect. While precedence would normally play a part, password policies are unique in this regard. The only way to have a password policy other than the default domain policy is to attach it to a user object directly, and even that is only supported on newer domains. Check out "fine grained password policies" on TechNet for more details.
0
iamuserAuthor Commented:
I am currently using fine grain password policy but then reading about precedence and I didn't remember if the OU policy would take effect or not
0
Brian PiercePhotographerCommented:
The only password policy that has any effect is the default domain policy. All others (except FGPP) have no effect.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

McKnifeCommented:
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
compdigit44Commented:
on a side note, I believe when you apply a password policy to an ou if affects the workstations local password criteria.
0
Cliff GaliherCommented:
Nope.
0
McKnifeCommented:
Oh yes it does.
0
Cliff GaliherCommented:
Workstation passwords are already highly complex and are changed relatively often. Linking a policy to an OU doesn't change how AD handles workstation passwords.
0
McKnifeCommented:
This is not what I meant (and compdigit repeated). The local password policy doesn't influence the workstation pw, how could it, the workstation is a domain member. We are talking about local accounts.
0
iamuserAuthor Commented:
my issue is this,

Default domain password policy - undefined

OU password policy - is defined

Local password policy - default

Now what happens to the servers and workstations in the domain when GPO is processed? What is the password policy of the servers & workstations?
0
McKnifeCommented:
Once more :)
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
iamuserAuthor Commented:
I already have the Fine Grain Password Policy in place because i wanted to have 2 different password policy. I was wondering if there was an option to do this using regular group policy.

Since 'undefined' meant nothing was changed (neither disable or enable) then perhaps the OU password policy would be allowed to take effect. But I guess what you're saying is that Windows will only apply one password policy and by default it will always be the password policy in the default GPO
0
McKnifeCommented:
Using regular group policy this is not possible for domain accounts, only for local accounts (you could have as many local password policies as you have PCs).
For domain accounts, only the DDP counts, together with eventually applied PSOs.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.