Remove From My Forums

How to apply fine grained password policy to an OU

질문
0

로그인하여 투표

I have an OU called TestOU-1. Now I want to apply fine-grained password policies to all the users in TestOU-1. I know fine grained policies can be applied to global security groups and users only. But I heard of shadow groups through which fine-grained policies can be applied to an OU.

How do I create a shadow group for TestOU-1. I know how to create a fine-grained policy. After creating it, what should be the value of msDS_PasswordAppliesto. Is it the DN of the TestOU-1 or the shadow group that I created. Also, do I have to create a global security group before creating a shadow group for the OU?
Thanks and Regards, Radhakrishnan

2012년 6월 18일 월요일 오전 10:42

답변

0

로그인하여 투표
In global security group we can have member from any OU who need to be covered under FGPP where as shadow group is a group used to have all the users from particularity department like finance or sales guy in one group & it is automated to either add or delete the group membership automatically using scripts(powershell or vb-script) or schedule task.

Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- 답변으로 표시됨 radhakrishnan88 2012년 6월 18일 월요일 오후 12:07
2012년 6월 18일 월요일 오전 11:42

모든 응답

0

로그인하여 투표
Hello,

FGPP are NOT applied to OUs, only to users or security groups. In your case create a security group that conatins all accounts that should get the policy and use that security group for the policy. Thats it.
Best regards

Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/

Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- 답변으로 제안됨 Grégory LUCAND 2012년 6월 18일 월요일 오전 10:48
2012년 6월 18일 월요일 오전 10:47
0

로그인하여 투표

But, what about shadow groups? I heard that by creating a shadow group for the OU using the dsquery user "DN of the OU" dsmod group "DN of the global group" -chmbr command, FGPP can be applied to an OU.
Thanks and Regards, Radhakrishnan

2012년 6월 18일 월요일 오전 10:51
0

로그인하여 투표

You can create OU or use existing OU and create global group add required user to this group and link Password settings object ( PSO ) to the Global Group.
http://windowsarchitecture.wordpress.com/2010/11/22/windows-2008-fine-grained-password-policies/

More on FGPP refer below link:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4ba40c5c-6eb8-4f3f-af22-7a28e9f9280c

Hope this helps
Best Regards,

Sandesh Dubey.

MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

2012년 6월 18일 월요일 오전 10:59
0

로그인하여 투표

Shadow groups are not OU but its way to automate the group membership for the FGPP to be applied. Using shadow group requires scripting or schedule task to be configured for update of the group members.

http://policelli.com/blog/archive/2008/01/15/manage-shadow-groups-in-windows-server-2008/

http://www.windowsecurity.com/articles/configuring-granular-password-settings-windows-server-2008-part2.html

More on the FGPP

http://awinish.wordpress.com/2010/11/09/ad-implementing-fine-grained-policy-in-w2k8/

Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

2012년 6월 18일 월요일 오전 11:18
0

로그인하여 투표
Additionally Refer below link to understand what are shadow groups.

http://www.windowsitpro.com/article/security/password-policy-active-directory-142692

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

Regards,

_Prashant_

MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- 편집됨 Prashant Girennavar 2012년 6월 18일 월요일 오전 11:24
2012년 6월 18일 월요일 오전 11:23
0

로그인하여 투표

What is the difference between creating a Global security group, add all the users of an OU to that group and apply the FGPP to the group and creating a shadow group and applying the FGPP to the shadow group.

I don't understand why do we need shadow groups at all?
Thanks and Regards, Radhakrishnan

2012년 6월 18일 월요일 오전 11:38
0

로그인하여 투표
In global security group we can have member from any OU who need to be covered under FGPP where as shadow group is a group used to have all the users from particularity department like finance or sales guy in one group & it is automated to either add or delete the group membership automatically using scripts(powershell or vb-script) or schedule task.

Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- 답변으로 표시됨 radhakrishnan88 2012년 6월 18일 월요일 오후 12:07
2012년 6월 18일 월요일 오전 11:42
0

로그인하여 투표

Hello,

shadow group is NO existing group in AD UC, it is a name for having a security group used for the FGPP. So do not care about the "shadow", there must be some name to reflect the security group "shadowing" the accounts on the OU where it should work for.
Best regards

Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/

Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

2012년 6월 18일 월요일 오전 11:43
0

로그인하여 투표

Here's an example of an OU shadow script:

http://www.open-a-socket.com/index.php/2013/09/03/ou-shadow-script/
Tony www.open-a-socket.com

2018년 10월 4일 목요일 오후 9:21
0

로그인하여 투표

You can achieve this with ActivePasswords by WizardSoft. Very affordable and it gives you ultimate control over password settings for different groups and OUs.

2020년 8월 7일 금요일 오전 10:07

최고의 답변자

How to apply fine grained password policy to an OU

질문

답변

모든 응답