Solved

windwos 2008 R2 Password policy question

Posted on 2014-07-25
13
187 Views
Last Modified: 2014-10-07
Here's my question, what happens in the following?

1.) Default domain password policy is undefined

2.) create a new password policy at a computer OU. And password policy is defined with length of 8 chars required

3.) move 6 workstations into this OU.

When the password refreshes what happens? Will people creating passwords in 6 machines in the OU be required to use 8 character passwords?

WIll the domain password policy override the OU password policy?

From what I understand of precedence, the OU policy should be processed last and therefore override the settings at the domain level.
0
Comment
Question by:iamuser
  • 5
  • 3
  • 3
  • +2
13 Comments
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 167 total points
ID: 40220476
The password policy attached to the OU would have no effect. While precedence would normally play a part, password policies are unique in this regard. The only way to have a password policy other than the default domain policy is to attach it to a user object directly, and even that is only supported on newer domains. Check out "fine grained password policies" on TechNet for more details.
0
 

Author Comment

by:iamuser
ID: 40220492
I am currently using fine grain password policy but then reading about precedence and I didn't remember if the OU policy would take effect or not
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 166 total points
ID: 40220530
The only password policy that has any effect is the default domain policy. All others (except FGPP) have no effect.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 54

Expert Comment

by:McKnife
ID: 40221436
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 40225706
on a side note, I believe when you apply a password policy to an ou if affects the workstations local password criteria.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40225722
Nope.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40225723
Oh yes it does.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40225748
Workstation passwords are already highly complex and are changed relatively often. Linking a policy to an OU doesn't change how AD handles workstation passwords.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40225762
This is not what I meant (and compdigit repeated). The local password policy doesn't influence the workstation pw, how could it, the workstation is a domain member. We are talking about local accounts.
0
 

Author Comment

by:iamuser
ID: 40231652
my issue is this,

Default domain password policy - undefined

OU password policy - is defined

Local password policy - default

Now what happens to the servers and workstations in the domain when GPO is processed? What is the password policy of the servers & workstations?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40231697
Once more :)
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
 

Author Comment

by:iamuser
ID: 40231743
I already have the Fine Grain Password Policy in place because i wanted to have 2 different password policy. I was wondering if there was an option to do this using regular group policy.

Since 'undefined' meant nothing was changed (neither disable or enable) then perhaps the OU password policy would be allowed to take effect. But I guess what you're saying is that Windows will only apply one password policy and by default it will always be the password policy in the default GPO
0
 
LVL 54

Accepted Solution

by:
McKnife earned 167 total points
ID: 40232532
Using regular group policy this is not possible for domain accounts, only for local accounts (you could have as many local password policies as you have PCs).
For domain accounts, only the DDP counts, together with eventually applied PSOs.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question