Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

windwos 2008 R2 Password policy question

Posted on 2014-07-25
13
Medium Priority
?
217 Views
Last Modified: 2014-10-07
Here's my question, what happens in the following?

1.) Default domain password policy is undefined

2.) create a new password policy at a computer OU. And password policy is defined with length of 8 chars required

3.) move 6 workstations into this OU.

When the password refreshes what happens? Will people creating passwords in 6 machines in the OU be required to use 8 character passwords?

WIll the domain password policy override the OU password policy?

From what I understand of precedence, the OU policy should be processed last and therefore override the settings at the domain level.
0
Comment
Question by:iamuser
  • 5
  • 3
  • 3
  • +2
13 Comments
 
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 668 total points
ID: 40220476
The password policy attached to the OU would have no effect. While precedence would normally play a part, password policies are unique in this regard. The only way to have a password policy other than the default domain policy is to attach it to a user object directly, and even that is only supported on newer domains. Check out "fine grained password policies" on TechNet for more details.
0
 

Author Comment

by:iamuser
ID: 40220492
I am currently using fine grain password policy but then reading about precedence and I didn't remember if the OU policy would take effect or not
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 664 total points
ID: 40220530
The only password policy that has any effect is the default domain policy. All others (except FGPP) have no effect.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 58

Expert Comment

by:McKnife
ID: 40221436
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40225706
on a side note, I believe when you apply a password policy to an ou if affects the workstations local password criteria.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40225722
Nope.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40225723
Oh yes it does.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40225748
Workstation passwords are already highly complex and are changed relatively often. Linking a policy to an OU doesn't change how AD handles workstation passwords.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40225762
This is not what I meant (and compdigit repeated). The local password policy doesn't influence the workstation pw, how could it, the workstation is a domain member. We are talking about local accounts.
0
 

Author Comment

by:iamuser
ID: 40231652
my issue is this,

Default domain password policy - undefined

OU password policy - is defined

Local password policy - default

Now what happens to the servers and workstations in the domain when GPO is processed? What is the password policy of the servers & workstations?
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40231697
Once more :)
What will happen is that this policy becomes effective on those computers in the OU. Consequence: all local accounts on those computers will have to follow these restrictions. On domain accounts changed from these computers this has of course no effect. The domain accounts are at the DC that is not affected by this policy, that's why.

It would be interesting to know what you are trying to do.
0
 

Author Comment

by:iamuser
ID: 40231743
I already have the Fine Grain Password Policy in place because i wanted to have 2 different password policy. I was wondering if there was an option to do this using regular group policy.

Since 'undefined' meant nothing was changed (neither disable or enable) then perhaps the OU password policy would be allowed to take effect. But I guess what you're saying is that Windows will only apply one password policy and by default it will always be the password policy in the default GPO
0
 
LVL 58

Accepted Solution

by:
McKnife earned 668 total points
ID: 40232532
Using regular group policy this is not possible for domain accounts, only for local accounts (you could have as many local password policies as you have PCs).
For domain accounts, only the DDP counts, together with eventually applied PSOs.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question