RE: Group Policy: multiple password policies in the same domain?

• Previous message: Laura A. Robinson: "RE: Group Policy: multiple password policies in the same domain?"
• Maybe in reply to: Laura A. Robinson: "RE: Group Policy: multiple password policies in the same domain?"
• Next in thread: Derick Anderson: "RE: Group Policy: multiple password policies in the same domain?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Beauford, Jason'" <jbeauford@EightInOnePet.com>, "'Derick Anderson'" <danderson@vikus.com>, <focus-ms@securityfocus.com>
Date: Wed, 31 Aug 2005 15:23:47 -0400

Inline...

> -----Original Message-----
> From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com]
>
> Domain Wide Password policies cannot be blocked by OU
> Policies.

It's not a matter of blocking. It's a matter of where the accounts are
actually stored. AD accounts are stored in the *domain*, so that is the only
place where a password policy affects *domain* accounts. OUs are irrelevant
in that scenario.

> With that in mind you should look at creating an
> OU and setting up a GPO with Password Policies there rather
> than on the top level domain. Drop your service accounts
> into the OU and they will take on the the applied GPO.

No, they won't. Moving the service account from one OU to another has no
affect. The account is still stored in AD and is still subject to the
*domain* password policy. Creating *local* accounts on the computer(s) in
question, then setting password policies on the OUs where the *computers*
reside, would work. However, it wouldn't meet the requirements of the
original poster.

>
> Because you have no other password policy set on the top
> level domain name, your "other" users will be unaffected.

That is not the case. See above.

>
> I believe that should do it. But then again. I haven't
> tested it or ever implemented it to confirm. Check it out.

I have tested and implemented this stuff eight ways to Sunday, but I
encourage anybody who doesn't want to take my word for it to test for
himself/herself. :-)

Laura

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Laura A. Robinson: "RE: Group Policy: multiple password policies in the same domain?"
• Maybe in reply to: Laura A. Robinson: "RE: Group Policy: multiple password policies in the same domain?"
• Next in thread: Derick Anderson: "RE: Group Policy: multiple password policies in the same domain?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Group Policy: multiple password policies in the same domain? ... There can be only one password policy for the domain. ... Subject: Group Policy: multiple password policies in the same domain? ... I'm trying to lock down some domain "service" accounts (backup, ... time I'm trying to enforce stronger passwords for service accounts like ... (Focus-Microsoft) RE: Group Policy: multiple password policies in the same domain? ... Domain password policies must apply to machines at the domain level. ... The password policy for all domain accounts must be set at the default ... If you set password policy in an OU, it will affect the LOCAL accounts ... (Focus-Microsoft) RE: Group Policy: multiple password policies in the same domain? ... the policy is just ignored. ... Subject: Group Policy: multiple password policies in the same domain? ... I'm trying to lock down some domain "service" accounts (backup, ... time I'm trying to enforce stronger passwords for service accounts like ... (Focus-Microsoft) RE: Group Policy: multiple password policies in the same domain? ... Password policies for accounts stored in Active Directory can *only* be set ... the computers within the OU in question. ... My theory is that only the password policy on ... (Focus-Microsoft) RE: Group Policy: multiple password policies in the same domain? ... > Domain Wide Password policies cannot be blocked by OU ... Someone else mentioned that it would only affect local accounts (local ... whatever password policy the domain controllers were given would ... (Focus-Microsoft)