Re: OU vs. Domain GPO's

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 03/29/04 

Date: Sun, 28 Mar 2004 22:44:01 -0500

John,

No, password policy is set at the domain level. And there can be only one.
If you set a password policy at the OU level it will not affect the users,
it will affect whatever computer account objects ( local accounts
passwords ) might be contained in that particular OU.

The only way that I could think that this *might* work would be to undo the
password complexity setting and create the user account with the
userAccountControl attribute set to '66048' ( the 'Password never expires'
checkbox checked - maybe use ldifde to create the user account? ) and then
later reset the password complexity. Not really sure that you want to start
messing with this, though. I am not sure that I understand why you would
want to have this nice password policy / complexity for the entire domain
and then have one account that would be vulnerable. What are you trying to
do with this one account.

BTW - you are correct in that *typically* the pecking order for GPOs is
Local, Site, Domain and OU. However, as this is a password policy it is
specifically set at the domain level ( either via the Default Domain Policy
or the Domain Security Policy - either one works ).

HTH,

Cary

"John J. Rambone" <lgm_rambone@remove.hotmail.com> wrote in message
news:drM9c.16096$Q45.8663@fed1read02...
> I have created an OU for 1 user. I have locked down the OU so the only
> thing that appears is a start menu and IE and IE is locked down to only go
> to 1 address inside the company. I want the 1 user to have a blank
> password, but I have complex password defined for my Domain. I thought
the
> OU took precedence over the domain gpo. Is there a work around for this?
>
> John J.
>
>

Relevant Pages

  • Re: Changing Time Issue / Password Question
    ... You can't set password policy at the OU level, it can only be set at the domain level and will impact all accounts in the domain. ... Reset the main Domain GPO password policy not to be complex did a gpupdate /force and then I was able to have a lower case password in a seperate OU. ... I uncheck the box to automatically adjust clock for daylight savings time because on Saturday night I do not want to the clock to change. ... So I created a GPO and set it not to inherit and did a gpupdate /force but it still makes me create a complex password with upper and lower case for this one user account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: OU vs. Domain GPOs
    ... John if you have the option for security reasons may deploy another domain ... password policy is set at the domain level. ... >> it will affect whatever computer account objects (local accounts ... >> later reset the password complexity. ...
    (microsoft.public.win2000.active_directory)
  • Re: Password expires for no apparent reason
    ... go to the server and run rsop.msc and check your password policy, ... expires' is set for each user. ... the minimum password age is there to prevent users from blowing ... As Harj said Account lockouts could potentially be a problem as perhaps the ...
    (microsoft.public.windows.server.active_directory)
  • Re: OU vs. Domain GPOs
    ... I have setup a kiosk machine here and ... password policy is set at the domain level. ... > it will affect whatever computer account objects (local accounts ... > later reset the password complexity. ...
    (microsoft.public.win2000.active_directory)
  • Re: Valid password characters
    ... A good password policy should be combined with a good user name ditto. ... whereby an account would be disabled after a certain of unsuccessful ... The attack on this type of protection will not be a frontal attack ... without even the implied warranty of merchantability ...
    (microsoft.public.inetserver.asp.db)
Loading