Solved

Multiple password policies in a single Windows 2012 R2 AD domain

Posted on 2016-11-21
3
15 Views
Last Modified: 2016-11-21
Hi guys

I have a Windows Server 2012 R2 Domain and Forest functional level done by another team.
I can see that this domain has a default domain policy that sets a defined password policy.
Then I see in a nested OU (\administration\servers\) that another Policy contains another GPO that sets different password policies.

I thought that only one password policy could be set per domain.
Actually as I type this I see that there's a new setting called "Fine-Grained Password Policies".
OK so I open ADAC and browse to domain\system\Password Settings Container but I see no alternate password settings defined.

So how come when I do an RSOP for a computer I get some password settings coming from the default domain policy and when I do an RSOP of another server in the OU where the other GPO setting different password policy actually report those (different) password policies ?

How does this work ?

Thanks for your help!
0
Comment
Question by:ferrarista
  • 2
3 Comments
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
* Any password policies applied to computer objects other than DCs will only influence local accounts on the machines in question.
* Any password policies applied to user objects will have absolutely no effect at all.
* Any password policies applied to DCs, but not linked to the domain root will have absolutely no effect at all.
* Fine-grained password policies aside, there can only be one password policy per domain, it has to apply to the DCs, and it has to be linked to the domain root.
0
 

Author Comment

by:ferrarista
Comment Utility
Thanks. But is it normal that when I run RSOP I see different password settings ? I'm a bit confused here....

RSOP DC1 --> Password policy with some settings...
RSOP Member Server somewhere in another OU --> Password policy with some other settings...

Thanks.
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
It's perfectly normal when somebody created a GPO with password complexity settings and linked it to any computer OU.
There's nothing that keeps you from doing so, and in some cases, it might be required if you're using local accounts (for example for services) which require a different password policy than the domain password policy.
But again: these settings will have no influence at all on any domain account.
Domain passwords are set on the Domain Controllers, and the Domain Controllers decide (based on their password policy!) whether the password meets the complexity requirements or not. The client (where the user changing his password is logged on to) has no say in that matter at all.
1

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

My GPO's made for 2008 R2 servers were not allowing me to RDP into a new 2012 server by default.  That’s why I tried to allow RDP via Powershell, because I could log into a remote shell without further configuration. Below I will describe how I wen…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now