Remove From My Forums

Setting password policy in OU

질문
0

로그인하여 투표

Hi,

I'm a newbie in AD DS and I'm trying to lower the password complexity requirements for users in a specific OU in the domain, but it's not working. I've created a GPO for that OU "MyOU" and linked it. Here is the configuration:

Load Policy: "Minimum password length" is grayed out and set to 7.

Default Domain Controller Policy (Enforced=False): "Minimum password length" = Not Defined

Default Domain Policy (Enforced=False): "Minimum password length" = 7

MyOU: "Minimum password length" = 5 And "Security Filtering": Authenticated Users

But when setting a password of a user in the OU, the "Minimum password length = 7" policy is enforced. Users of the OU are members of the "Domain Users" group.

I know that child GPO objects take precedence (so OU should take precendence over Default Domain), but it does not seem to be the case here. i've tried "gpupdate /force", but still not working. What am I doing wrong?

Many thanks!

2013년 4월 6일 토요일 오후 8:07

답변

0

로그인하여 투표
You can only have one password policy per domain unless you have fine grained password policies implemented

http://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx
Hope This Helps!
- 답변으로 표시됨 Cicely Feng 2013년 4월 16일 화요일 오전 1:52
2013년 4월 6일 토요일 오후 8:10
0

로그인하여 투표
You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain!Windows Server 2008 introduces multiple password and account lockout policiesthrough PSOs when the DFL = at least w2k8

In Windows Server 2003 Active Directory domains, you could apply only one password policy, which is specified in the domain'sDefault Domain Policy, to all users in the domain.

Windows Server 2008 has Fine-Grained Password Policies which provide organizations with a way to define different password policies for different sets of users in a domain. Here is a Step-by-Step Guide:http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/4627.ad-ds-fine-grained-password-policies.aspx
Best Regards,

Sandesh Dubey.

MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- 답변으로 표시됨 Cicely Feng 2013년 4월 16일 화요일 오전 1:52
2013년 4월 7일 일요일 오전 10:35
0

로그인하여 투표
Hello,

this will not work. Password policies MUST be set on domain level, on OU it has no effect for domain logged on users.

Therefore you can use FGPP,required is Windows server 2008 or higher.

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

http://jorgequestforknowledge.wordpress.com/2007/08/09/windows-server-2008-fine-grained-password-policies/
Best regards

Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/

Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- 답변으로 표시됨 Cicely Feng 2013년 4월 16일 화요일 오전 1:52
2013년 4월 7일 일요일 오후 3:12
0

로그인하여 투표
It is normal that this does not work.

To apply multiple password policies, you will need to use AD DS Fine Grained Password Policies: http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

Please note that PSO objects (For the Fine-Grained password policies) can be applied on user or group objects (Not on OU levels).

So, if you would like to have a password policy applied on user accounts based on OU membership, you can proceed like the following:

Create a group under each OU
Create a Powershell script that will add all user accounts under an OU as members of the OU group
Apply your PSO objects on the OU groups

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password
- 답변으로 표시됨 Cicely Feng 2013년 4월 16일 화요일 오전 1:52
2013년 4월 7일 일요일 오후 6:53

모든 응답

0

로그인하여 투표
You can only have one password policy per domain unless you have fine grained password policies implemented

http://technet.microsoft.com/en-us/magazine/2007.12.securitywatch.aspx
Hope This Helps!
- 답변으로 표시됨 Cicely Feng 2013년 4월 16일 화요일 오전 1:52
2013년 4월 6일 토요일 오후 8:10
0

로그인하여 투표
You can have ONLY ONE password and account lockout policy in ANY 2003 AD Domain!Windows Server 2008 introduces multiple password and account lockout policiesthrough PSOs when the DFL = at least w2k8

In Windows Server 2003 Active Directory domains, you could apply only one password policy, which is specified in the domain'sDefault Domain Policy, to all users in the domain.

Windows Server 2008 has Fine-Grained Password Policies which provide organizations with a way to define different password policies for different sets of users in a domain. Here is a Step-by-Step Guide:http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
http://social.technet.microsoft.com/wiki/contents/articles/4627.ad-ds-fine-grained-password-policies.aspx
Best Regards,

Sandesh Dubey.

MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- 답변으로 표시됨 Cicely Feng 2013년 4월 16일 화요일 오전 1:52
2013년 4월 7일 일요일 오전 10:35
0

로그인하여 투표
Hello,

this will not work. Password policies MUST be set on domain level, on OU it has no effect for domain logged on users.

Therefore you can use FGPP,required is Windows server 2008 or higher.

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

http://jorgequestforknowledge.wordpress.com/2007/08/09/windows-server-2008-fine-grained-password-policies/
Best regards

Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/

Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- 답변으로 표시됨 Cicely Feng 2013년 4월 16일 화요일 오전 1:52
2013년 4월 7일 일요일 오후 3:12
0

로그인하여 투표
It is normal that this does not work.

To apply multiple password policies, you will need to use AD DS Fine Grained Password Policies: http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

Please note that PSO objects (For the Fine-Grained password policies) can be applied on user or group objects (Not on OU levels).

So, if you would like to have a password policy applied on user accounts based on OU membership, you can proceed like the following:

Create a group under each OU
Create a Powershell script that will add all user accounts under an OU as members of the OU group
Apply your PSO objects on the OU groups

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password
- 답변으로 표시됨 Cicely Feng 2013년 4월 16일 화요일 오전 1:52
2013년 4월 7일 일요일 오후 6:53
1

로그인하여 투표

I really have to clarify this because it is a common source of confusion. You can set password policies at the OU level. They are ignored when logging on to a domain as the default domain policy wins. However, the OU policy is applied and enforced only when users log on to the local computer. (see https://technet.microsoft.com/en-us/library/hh125920(v=ws.10).aspx)

Mike Liben

2017년 11월 8일 수요일 오전 4:31
0

로그인하여 투표
That's a very good tip Michael, thanks! BR, Ruslan
- 편집됨 Ruslan Nalivaika 2019년 12월 20일 금요일 오전 8:10
2019년 12월 20일 금요일 오전 8:09

최고의 답변자

Setting password policy in OU

질문

답변

모든 응답