• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 599
  • Last Modified:

Confused about password policies - why are they computer configuration?

I have become terribly confused over password policies.
Why are they configured under Computer Configuration (Windows\security\account\password)?
I need to apply password policies to my domain users (all contained in a user OU).
My two concerns here are -
1. I run an AD report on passwords due to expire in 30 days - if this policy only applies to Computers, how will it affect my user accounts?
2. It is imperative only the Users OU is affected, thus I applied the policy top this but it appears my machine (as a test) is picking it up from the Default Domain Policy which of course is covering my machine and the OU my machine is in.

Any transparency on this issue would be greatly appreciated.
0
fuzzyfreak
Asked:
fuzzyfreak
  • 3
  • 2
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
Users have to login to devices in order to get access to resources on the network, this is the main reason why password policies are applied in the Computer Configuration Section of Group Policy. This needs to be at the Domain Level and is required to be set on the Default Domain Policy (as you know).  This is how is works.

If you want to assign passwords to individual users or groups you would then need to assign FGPP (Fine Grain Password Policies) to specific users or groups you desire. This feature is only available when you have a minimum of a 2008 Active Directory Forest Functional Level and Domain Functional Level. Anything below this you will not be able to achieve.

Fine Grain Password Policies Explained
https://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx

Will.
0
 
fuzzyfreakAuthor Commented:
Thanks very much for this advice. I have now applied the password policy to the default domain policy and much to my horror, everybody's passwords expired immediately, so it has been a busy day.
For all my service accounts, I have set "Password Never Expires" can you assure me that this setting will always override the domain policy?

Thanks
0
 
McKnifeCommented:
Sure, this overrides it.

Back to the question "why a computer policy" - the reason is: these are settings that apply to a password database. The password db is not per-user but per system. It treats all users the same.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Will SzymkowskiSenior Solution ArchitectCommented:
default domain policy and much to my horror, everybody's passwords expired immediately
Not sure why that happen. When you change the password policy this does not Force users passwords to expire. If a user just changed there password and you apply a password policy they can use there current password until it expires or they try to change it themselves.

I have set "Password Never Expires" can you assure me that this setting will always override the domain policy?

That is correct. Setting "Password Never Expires" ignores the password change policy from the default domain policy.

Will.
0
 
fuzzyfreakAuthor Commented:
Thanks guys.
0
 
fuzzyfreakAuthor Commented:
Very comprehensive and helpful solution.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now