Solved

default domain policy in AD exemptions

Posted on 2016-09-01
3
89 Views
Last Modified: 2016-10-03
1, Is it at all possible in an AD domain to exempt users from the default domain policy, which contains the password policy for all users. I am trying to prove for a compliance audit that all accounts in the domain are subject to this policy.

2, Also via the powershell AD cmdlets, is it possible to export the default domain policy settings?
0
Comment
Question by:pma111
3 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 250 total points
ID: 41779680
1. Is it at all possible?  
If a user account has "Password not Required" or "Password not Expire" then those user accounts will effectively be 'exempted' from the domain policy in those regards.

Second possibility to use different password policies would be via Fine Grain Password policies...

2. I assume you mean in a human readable format?  Does Get-GPOReport export the GPO in a format you want?  (There's a more generic Get-GPO, which you could then spindle, fold, and mutilate and write in a specific format you wanted... )
0
 
LVL 21

Assisted Solution

by:RK
RK earned 125 total points
ID: 41779682
Hi,

Yes, it is possible. What you have to do is, go to gpmc.msc>>Select the Default domain Policy>Select 'Delegation' from right hand side>Click Add to add the appropriate users>Once added, Select the user>click Advanced>select the newly added user>In the 'Apply group policy' make it 'Deny'. So, when the user login next time, the default domain policy won't apply to this user.

In the same page, if you click Settings, you will get all the configured policies in this. Right click and save report as XML format.
0
 
LVL 16

Assisted Solution

by:Carol Chisholm
Carol Chisholm earned 125 total points
ID: 41779688
You can filter group policy by scope (users, groups) or WMI filters (more powerful, more complicated)
gpo filters
Best to export from the GPO menu
GPO-report.jpg
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question