Re: Using GPO to implement Password Policy

I am thinking about creating a child domain (that would work, right?) but I
will need need another server to use as a domain controller in order to
create the child domain via dcpromo. Have a separate domain for these other
accounts would be very useful actually for what we do.

I am interested in the 3rd party software as well. We'll see...thanks for
your advice!

"Herb Martin" wrote:

"Saral6978" <Saral6978@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D26491D9-C017-4482-A790-8E92BD44B8D2@xxxxxxxxxxxxxxxx
Oh, wow...really? That is not going to work for us then, because there
are
some users in some OUs that we don't want this policy to be implemented
for.
I was really hoping that it could be done using OUs...shoot. Okay, thanks
so
much for the information. I'll have to come up with something else.

Sometimes having different password policies is a REASON
to require multiple domains do to this, and two other areas.

In additional to password, the other items in Security->Account
Policies are only settable (for the domain) when linked at the
domain level:

Password, Kerberos, and Lockout policy.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


Sara

"Paul Jensen" wrote:

Password policies are a little different than any other that you might
create. They can only be applied to the domain. NOT to an OU.

If you link it to an OU, it will actually affect the those local machines
when you use them to log on locally, but not the domain.

To use password policies you must use them at the domain level. If you
have
a requirement for different password policies for different people, you
must
put them in a spearate domain and apply a different policy to that
domain.

Hope that helps.






"Saral6978" <Saral6978@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1D85F154-7AC7-4557-8FE0-6C361649CEA5@xxxxxxxxxxxxxxxx
I'm using Group Policy Managment to create and manage my domain's group
policies. We have decided to implement a password policy so I created
a
new
Group Policy Object, Company Password Policy, configured the settings I
wanted as far as maximum password age, complexity, etc and enabled the
GPO.
I then attempted to then link this GPO to a test OU, called "GPO Test
Computers". I ran gpupdate /force and logged into the test computer
located
under this GPO. I also ran gpupdate /force on this PC and also
rebooted
it
for good measure, but it is not making the user change the password (it
is
a
test account, located in the OU "GPO Test Users". Password policies
are
applied to computers, not users, correct?

I will also note that I am trying to do this on a Windows 2003 member
server
(test server), in which I gave the gpotest user access to log on
locally,
but
not have admin rights, so I'm not sure if it is because it is running
server
and not XP or sometihng. I should also note that the user account
settings
itself are set to "Password never expires" and "User Cannot Change
Passoword". I was thinking that the GPO would automatically change
this
setting when implemented. All of my domain accounts are set with these
settings for their passwords, and we have about 100 users, and I'm
hoping
I
don't have to go into each account and uncheck these boxes.

Does anyone have any ideas? I did try linking the newly created GPO to
the
"GPO Test Users" OU as well, but that did not seem to do it either.

Which OU should this policy be linked to?

Thanks,
Sara






.

Relevant Pages

  • Re: SCW question.
    ... Created a new Server and installed IIS. ... and saw that the default rights for IUSR and IWAM users are there. ... Server to the domain without and GPO's applied...Local Security policy ... rights (which coincides with my Member server GPO settings). ...
    (microsoft.public.windows.server.security)
  • Re: Group Policy is now inhibiting the Administrator account
    ... under Group Policy Objects - those are the individual GPOs. ... You can apply any given GPO to one or more OUs, ... I use all of the default security in SBS, ... log on to the server with your own account. ...
    (microsoft.public.windows.server.sbs)
  • Re: User Profiles
    ... You can use Folder redirection for the Start Menu, ... Exactly what icons are you getting from the Default Domain Policy, ... and in which GPO setting are they defined? ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: GPO - Access denied after changing a GP setting
    ... You are about to restore Default Domain policy and Default domain Controller po ... This may render some server applications to fail. ... Unable to open the GPO due to access denied. ... You are about to restore Default Domain controller policy for the following domain ...
    (microsoft.public.windows.server.security)
  • Re: GPO - Access denied after changing a GP setting
    ... This may render some server applications to fail. ... y Unable to open the GPO due to access denied. ... This tool was unable to re-create the EFS Certificates in the Default D omain Policy GPO Access is denied. ... You are about to restore Default Domain controller policy for the following domain Do you want to continue: ...
    (microsoft.public.windows.server.security)
Loading