Solved

Multiple password policies in a single Windows 2012 R2 AD domain

Posted on 2016-11-21
3
61 Views
Last Modified: 2016-11-21
Hi guys

I have a Windows Server 2012 R2 Domain and Forest functional level done by another team.
I can see that this domain has a default domain policy that sets a defined password policy.
Then I see in a nested OU (\administration\servers\) that another Policy contains another GPO that sets different password policies.

I thought that only one password policy could be set per domain.
Actually as I type this I see that there's a new setting called "Fine-Grained Password Policies".
OK so I open ADAC and browse to domain\system\Password Settings Container but I see no alternate password settings defined.

So how come when I do an RSOP for a computer I get some password settings coming from the default domain policy and when I do an RSOP of another server in the OU where the other GPO setting different password policy actually report those (different) password policies ?

How does this work ?

Thanks for your help!
0
Comment
Question by:ferrarista
  • 2
3 Comments
 
LVL 83

Expert Comment

by:oBdA
ID: 41895907
* Any password policies applied to computer objects other than DCs will only influence local accounts on the machines in question.
* Any password policies applied to user objects will have absolutely no effect at all.
* Any password policies applied to DCs, but not linked to the domain root will have absolutely no effect at all.
* Fine-grained password policies aside, there can only be one password policy per domain, it has to apply to the DCs, and it has to be linked to the domain root.
0
 

Author Comment

by:ferrarista
ID: 41895914
Thanks. But is it normal that when I run RSOP I see different password settings ? I'm a bit confused here....

RSOP DC1 --> Password policy with some settings...
RSOP Member Server somewhere in another OU --> Password policy with some other settings...

Thanks.
0
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 41895927
It's perfectly normal when somebody created a GPO with password complexity settings and linked it to any computer OU.
There's nothing that keeps you from doing so, and in some cases, it might be required if you're using local accounts (for example for services) which require a different password policy than the domain password policy.
But again: these settings will have no influence at all on any domain account.
Domain passwords are set on the Domain Controllers, and the Domain Controllers decide (based on their password policy!) whether the password meets the complexity requirements or not. The client (where the user changing his password is logged on to) has no say in that matter at all.
1

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now