Solved

Multiple password policies in a single Windows 2012 R2 AD domain

Posted on 2016-11-21
3
369 Views
Last Modified: 2016-11-21
Hi guys

I have a Windows Server 2012 R2 Domain and Forest functional level done by another team.
I can see that this domain has a default domain policy that sets a defined password policy.
Then I see in a nested OU (\administration\servers\) that another Policy contains another GPO that sets different password policies.

I thought that only one password policy could be set per domain.
Actually as I type this I see that there's a new setting called "Fine-Grained Password Policies".
OK so I open ADAC and browse to domain\system\Password Settings Container but I see no alternate password settings defined.

So how come when I do an RSOP for a computer I get some password settings coming from the default domain policy and when I do an RSOP of another server in the OU where the other GPO setting different password policy actually report those (different) password policies ?

How does this work ?

Thanks for your help!
0
Comment
Question by:ferrarista
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 41895907
* Any password policies applied to computer objects other than DCs will only influence local accounts on the machines in question.
* Any password policies applied to user objects will have absolutely no effect at all.
* Any password policies applied to DCs, but not linked to the domain root will have absolutely no effect at all.
* Fine-grained password policies aside, there can only be one password policy per domain, it has to apply to the DCs, and it has to be linked to the domain root.
0
 

Author Comment

by:ferrarista
ID: 41895914
Thanks. But is it normal that when I run RSOP I see different password settings ? I'm a bit confused here....

RSOP DC1 --> Password policy with some settings...
RSOP Member Server somewhere in another OU --> Password policy with some other settings...

Thanks.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 41895927
It's perfectly normal when somebody created a GPO with password complexity settings and linked it to any computer OU.
There's nothing that keeps you from doing so, and in some cases, it might be required if you're using local accounts (for example for services) which require a different password policy than the domain password policy.
But again: these settings will have no influence at all on any domain account.
Domain passwords are set on the Domain Controllers, and the Domain Controllers decide (based on their password policy!) whether the password meets the complexity requirements or not. The client (where the user changing his password is logged on to) has no say in that matter at all.
1

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question