Link to home
Create AccountLog in
Avatar of fuzzyfreak
fuzzyfreak

asked on

Confused about password policies - why are they computer configuration?

I have become terribly confused over password policies.
Why are they configured under Computer Configuration (Windows\security\account\password)?
I need to apply password policies to my domain users (all contained in a user OU).
My two concerns here are -
1. I run an AD report on passwords due to expire in 30 days - if this policy only applies to Computers, how will it affect my user accounts?
2. It is imperative only the Users OU is affected, thus I applied the policy top this but it appears my machine (as a test) is picking it up from the Default Domain Policy which of course is covering my machine and the OU my machine is in.

Any transparency on this issue would be greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of fuzzyfreak
fuzzyfreak

ASKER

Thanks very much for this advice. I have now applied the password policy to the default domain policy and much to my horror, everybody's passwords expired immediately, so it has been a busy day.
For all my service accounts, I have set "Password Never Expires" can you assure me that this setting will always override the domain policy?

Thanks
Sure, this overrides it.

Back to the question "why a computer policy" - the reason is: these are settings that apply to a password database. The password db is not per-user but per system. It treats all users the same.
default domain policy and much to my horror, everybody's passwords expired immediately
Not sure why that happen. When you change the password policy this does not Force users passwords to expire. If a user just changed there password and you apply a password policy they can use there current password until it expires or they try to change it themselves.

I have set "Password Never Expires" can you assure me that this setting will always override the domain policy?

That is correct. Setting "Password Never Expires" ignores the password change policy from the default domain policy.

Will.
Thanks guys.
Very comprehensive and helpful solution.