Solved

Multiple password policies in a single Windows 2012 R2 AD domain

Posted on 2016-11-21
3
97 Views
Last Modified: 2016-11-21
Hi guys

I have a Windows Server 2012 R2 Domain and Forest functional level done by another team.
I can see that this domain has a default domain policy that sets a defined password policy.
Then I see in a nested OU (\administration\servers\) that another Policy contains another GPO that sets different password policies.

I thought that only one password policy could be set per domain.
Actually as I type this I see that there's a new setting called "Fine-Grained Password Policies".
OK so I open ADAC and browse to domain\system\Password Settings Container but I see no alternate password settings defined.

So how come when I do an RSOP for a computer I get some password settings coming from the default domain policy and when I do an RSOP of another server in the OU where the other GPO setting different password policy actually report those (different) password policies ?

How does this work ?

Thanks for your help!
0
Comment
Question by:ferrarista
  • 2
3 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 41895907
* Any password policies applied to computer objects other than DCs will only influence local accounts on the machines in question.
* Any password policies applied to user objects will have absolutely no effect at all.
* Any password policies applied to DCs, but not linked to the domain root will have absolutely no effect at all.
* Fine-grained password policies aside, there can only be one password policy per domain, it has to apply to the DCs, and it has to be linked to the domain root.
0
 

Author Comment

by:ferrarista
ID: 41895914
Thanks. But is it normal that when I run RSOP I see different password settings ? I'm a bit confused here....

RSOP DC1 --> Password policy with some settings...
RSOP Member Server somewhere in another OU --> Password policy with some other settings...

Thanks.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41895927
It's perfectly normal when somebody created a GPO with password complexity settings and linked it to any computer OU.
There's nothing that keeps you from doing so, and in some cases, it might be required if you're using local accounts (for example for services) which require a different password policy than the domain password policy.
But again: these settings will have no influence at all on any domain account.
Domain passwords are set on the Domain Controllers, and the Domain Controllers decide (based on their password policy!) whether the password meets the complexity requirements or not. The client (where the user changing his password is logged on to) has no say in that matter at all.
1

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now