Confused about password policies - why are they computer configuration?

I have become terribly confused over password policies.
Why are they configured under Computer Configuration (Windows\security\account\password)?
I need to apply password policies to my domain users (all contained in a user OU).
My two concerns here are -
1. I run an AD report on passwords due to expire in 30 days - if this policy only applies to Computers, how will it affect my user accounts?
2. It is imperative only the Users OU is affected, thus I applied the policy top this but it appears my machine (as a test) is picking it up from the Default Domain Policy which of course is covering my machine and the OU my machine is in.

Any transparency on this issue would be greatly appreciated.
LVL 4
fuzzyfreakAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Users have to login to devices in order to get access to resources on the network, this is the main reason why password policies are applied in the Computer Configuration Section of Group Policy. This needs to be at the Domain Level and is required to be set on the Default Domain Policy (as you know).  This is how is works.

If you want to assign passwords to individual users or groups you would then need to assign FGPP (Fine Grain Password Policies) to specific users or groups you desire. This feature is only available when you have a minimum of a 2008 Active Directory Forest Functional Level and Domain Functional Level. Anything below this you will not be able to achieve.

Fine Grain Password Policies Explained
https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fuzzyfreakAuthor Commented:
Thanks very much for this advice. I have now applied the password policy to the default domain policy and much to my horror, everybody's passwords expired immediately, so it has been a busy day.
For all my service accounts, I have set "Password Never Expires" can you assure me that this setting will always override the domain policy?

Thanks
0
McKnifeCommented:
Sure, this overrides it.

Back to the question "why a computer policy" - the reason is: these are settings that apply to a password database. The password db is not per-user but per system. It treats all users the same.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Will SzymkowskiSenior Solution ArchitectCommented:
default domain policy and much to my horror, everybody's passwords expired immediately
Not sure why that happen. When you change the password policy this does not Force users passwords to expire. If a user just changed there password and you apply a password policy they can use there current password until it expires or they try to change it themselves.

I have set "Password Never Expires" can you assure me that this setting will always override the domain policy?

That is correct. Setting "Password Never Expires" ignores the password change policy from the default domain policy.

Will.
0
fuzzyfreakAuthor Commented:
Thanks guys.
0
fuzzyfreakAuthor Commented:
Very comprehensive and helpful solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.