Solved

Multiple password policies in a single Windows 2012 R2 AD domain

Posted on 2016-11-21
3
207 Views
Last Modified: 2016-11-21
Hi guys

I have a Windows Server 2012 R2 Domain and Forest functional level done by another team.
I can see that this domain has a default domain policy that sets a defined password policy.
Then I see in a nested OU (\administration\servers\) that another Policy contains another GPO that sets different password policies.

I thought that only one password policy could be set per domain.
Actually as I type this I see that there's a new setting called "Fine-Grained Password Policies".
OK so I open ADAC and browse to domain\system\Password Settings Container but I see no alternate password settings defined.

So how come when I do an RSOP for a computer I get some password settings coming from the default domain policy and when I do an RSOP of another server in the OU where the other GPO setting different password policy actually report those (different) password policies ?

How does this work ?

Thanks for your help!
0
Comment
Question by:ferrarista
  • 2
3 Comments
 
LVL 84

Expert Comment

by:oBdA
ID: 41895907
* Any password policies applied to computer objects other than DCs will only influence local accounts on the machines in question.
* Any password policies applied to user objects will have absolutely no effect at all.
* Any password policies applied to DCs, but not linked to the domain root will have absolutely no effect at all.
* Fine-grained password policies aside, there can only be one password policy per domain, it has to apply to the DCs, and it has to be linked to the domain root.
0
 

Author Comment

by:ferrarista
ID: 41895914
Thanks. But is it normal that when I run RSOP I see different password settings ? I'm a bit confused here....

RSOP DC1 --> Password policy with some settings...
RSOP Member Server somewhere in another OU --> Password policy with some other settings...

Thanks.
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 41895927
It's perfectly normal when somebody created a GPO with password complexity settings and linked it to any computer OU.
There's nothing that keeps you from doing so, and in some cases, it might be required if you're using local accounts (for example for services) which require a different password policy than the domain password policy.
But again: these settings will have no influence at all on any domain account.
Domain passwords are set on the Domain Controllers, and the Domain Controllers decide (based on their password policy!) whether the password meets the complexity requirements or not. The client (where the user changing his password is logged on to) has no say in that matter at all.
1

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question