Password policy in domain 2003

  • Thread starter לי×ור.פ
  • Start date
×

לי×ור.פ

Hi

As far as I know there can be only one password policy.
I configured the main GPO in the root for specific password policy, I have
an OU with blocked inheritance is checked, and I created a new gpo and linked
it to this OU, this gpo have a diffrent set of password policy, I run the
RSOP on the server under that OU, and I got the new set of password policy
that is linked to this OU.
So, Can I use a diffrent password policy in diffrent OU's ?
or, I missing somthing?

thanks

Lior
 
D

Dobromir Todorov

You can - but for accounts that reside in the local SAM databases of
computers in that OU. You will certainly notice that it only applies to
computers, and not to users. For domain accounts, the domain level password
policy still applies.

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"?????.?" <@discussions.microsoft.com> wrote in message
news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...
> Hi
>
> As far as I know there can be only one password policy.
> I configured the main GPO in the root for specific password policy, I have
> an OU with blocked inheritance is checked, and I created a new gpo and
> linked
> it to this OU, this gpo have a diffrent set of password policy, I run the
> RSOP on the server under that OU, and I got the new set of password policy
> that is linked to this OU.
> So, Can I use a diffrent password policy in diffrent OU's ?
> or, I missing somthing?
>
> thanks
>
> Lior
>
 
×

לי×ור.פ

Hi
I didn't anderstand your answer, can U pleas explain broadly, the password
policy
is on the computer section, when u wrote " For domain accounts, the domain
level password policy still applies", the computer object account are domain
accounts, so what did u mean?

Lior

"Dobromir Todorov" wrote:

> You can - but for accounts that reside in the local SAM databases of
> computers in that OU. You will certainly notice that it only applies to
> computers, and not to users. For domain accounts, the domain level password
> policy still applies.
>
> --
> ---
> HTH,
> Dobromir
>
> Learn more about Security and Identity Management:
> Visit http://www.iamechanics.com
>
> "?????.?" <@discussions.microsoft.com> wrote in message
> news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...
> > Hi
> >
> > As far as I know there can be only one password policy.
> > I configured the main GPO in the root for specific password policy, I have
> > an OU with blocked inheritance is checked, and I created a new gpo and
> > linked
> > it to this OU, this gpo have a diffrent set of password policy, I run the
> > RSOP on the server under that OU, and I got the new set of password policy
> > that is linked to this OU.
> > So, Can I use a diffrent password policy in diffrent OU's ?
> > or, I missing somthing?
> >
> > thanks
> >
> > Lior
> >
>
>
>
 
R

Roger Abell [MVP]

Dobromir stated correctly that prior to Windows 2008 domains
there is only one account and password policy for domain accounts.
If one sets these at a different level (not at domain level) such as
your case on an OU, then the account and password policies will
have impact on machine local accounts defined on the computers
in that OU, which is why you were seeing what you report in the
GP results for machines in that OU.

Roger

"?????.?" <@discussions.microsoft.com> wrote in message
news:450C94D5-9E3F-4637-AA0F-815985FF4022@microsoft.com...
> Hi
> I didn't anderstand your answer, can U pleas explain broadly, the password
> policy
> is on the computer section, when u wrote " For domain accounts, the domain
> level password policy still applies", the computer object account are
> domain
> accounts, so what did u mean?
>
> Lior
>
> "Dobromir Todorov" wrote:
>
>> You can - but for accounts that reside in the local SAM databases of
>> computers in that OU. You will certainly notice that it only applies to
>> computers, and not to users. For domain accounts, the domain level
>> password
>> policy still applies.
>>
>> --
>> ---
>> HTH,
>> Dobromir
>>
>> Learn more about Security and Identity Management:
>> Visit http://www.iamechanics.com
>>
>> "?????.?" <@discussions.microsoft.com> wrote in message
>> news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...
>> > Hi
>> >
>> > As far as I know there can be only one password policy.
>> > I configured the main GPO in the root for specific password policy, I
>> > have
>> > an OU with blocked inheritance is checked, and I created a new gpo and
>> > linked
>> > it to this OU, this gpo have a diffrent set of password policy, I run
>> > the
>> > RSOP on the server under that OU, and I got the new set of password
>> > policy
>> > that is linked to this OU.
>> > So, Can I use a diffrent password policy in diffrent OU's ?
>> > or, I missing somthing?
>> >
>> > thanks
>> >
>> > Lior
>> >
>>
>>
>>
 
You must log in or register to reply here.

Similar threads

J
Group Policy Object Question
Replies
0
Views
41
Jason-999
J
A
You have chosen to force a Group Policy update on all computers within TEST and all sub containers. No computer object can be found in this OU or sub
Replies
0
Views
21
Anjali89
A
P
Printer deployed through Group Policy > Computer Configuration
Replies
0
Views
57
Prabin Bhusal
P
M
Active directory - Fine Grained Password policy does not work for AD users
Replies
0
Views
63
Matias Ignacio Catril Opazo
M
G
Unable to extend minimum password length to 15 characters in Group policy for 2016 and 2019 server.
Replies
0
Views
37
GOVINDU SREEHARSHA1
G
Back
Top Bottom