fcummins
asked on
Omit certain users from password policy using Group Policy.
I am planning on using Group Policy in domain to implement a better password policy. However, there are several accounts - namely family members of the company owner - that we want to leave out of this policy. These accounts will have NO access to any network resources - they will only have email access.
I plan on creating a specific security group in my local AD that these users will be part of and block that group from any network resources on our local LAN. Is there a way to NOT include this group in the Group Policy for our password policy?
I plan on creating a specific security group in my local AD that these users will be part of and block that group from any network resources on our local LAN. Is there a way to NOT include this group in the Group Policy for our password policy?
You can use "granular" policy for passwords (Create Fine Grained Password Policies (Step-by-Step-Guide) (activedirectorypro.com) ), with different password policies more or less restrictive than the default.
=>These policies can be assigned to AD groups.
Now, to access Mailboxes, these specific accounts should have access to some resources.
Where are these mailboxes?
=>These policies can be assigned to AD groups.
Now, to access Mailboxes, these specific accounts should have access to some resources.
Where are these mailboxes?
ASKER
Andrew, I failed to mention a significant point - not sure if affects your answer ... these user accounts are not used on computers that are attached to the domain. The accounts are only used to access email - either via mobile device (cell phone, tablet, etc.) or via Microsoft 365 Outlook. Realistically I can probably narrow it down to only two users that I don't want the password policy to apply to as trying to get them to figure out how to change their passwords (much less remember the new ones) will be near impossible (both well into their 80's).
I had forgotten about the "password doesn't expire" option on the DC or, rather, I assumed that the GP would override that.
NVIT, I'll check that out.
I had forgotten about the "password doesn't expire" option on the DC or, rather, I assumed that the GP would override that.
NVIT, I'll check that out.
@fcummins. My bad. The computer config password policy gpo doesn't have ILT so I removed my post.
ASKER
Thanks for the heads up, NVIT.
Deman, the mailboxes are in Microsoft 365 which we use AD Connect to sync the AD with.
Deman, the mailboxes are in Microsoft 365 which we use AD Connect to sync the AD with.
Deman, the mailboxes are in Microsoft 365 which we use AD Connect to sync the AD with.So, you could create these accounts directly on Office 365 to avoid a specific policy for them in Active Directory.
If these specific users are created in AD, then synchronized (with authentication based on PHS/PTA/ADFS), they will need a specific password policy if the standard policy is not adequate for them.
ASKER
Deman, the accounts already exist in AD - the issue is that I'm told the password policy we want to implement can't apply to those specific accounts. Is ideal/best practice? Of course not - but I'm working within specific set of parameters that are outside my control.
you could just mark those 2 accounts as password never expires
Just set the accounts to have their password never expire. Easy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What you're looking to do is do explicit deny permissions to certain resources/objects. Depending on scope, a group policy might not even be necessary.
If you're trying to bypass the password requirements for these users as well, you'll need to do that directly on the domain controller as an admin. In other words, set their weaker passwords, that never expire directly on the DC using Active Directory Users & Computers.
From a cybersecurity standpoint, this is not a great idea.