Guest לי×Âור.פ Posted April 28, 2008 Posted April 28, 2008 Hi As far as I know there can be only one password policy. I configured the main GPO in the root for specific password policy, I have an OU with blocked inheritance is checked, and I created a new gpo and linked it to this OU, this gpo have a diffrent set of password policy, I run the RSOP on the server under that OU, and I got the new set of password policy that is linked to this OU. So, Can I use a diffrent password policy in diffrent OU's ? or, I missing somthing? thanks Lior Quote
Guest Dobromir Todorov Posted April 28, 2008 Posted April 28, 2008 You can - but for accounts that reside in the local SAM databases of computers in that OU. You will certainly notice that it only applies to computers, and not to users. For domain accounts, the domain level password policy still applies. -- --- HTH, Dobromir Learn more about Security and Identity Management: Visit http://www.iamechanics.com "?????.?" <@discussions.microsoft.com> wrote in message news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...<span style="color:blue"> > Hi > > As far as I know there can be only one password policy. > I configured the main GPO in the root for specific password policy, I have > an OU with blocked inheritance is checked, and I created a new gpo and > linked > it to this OU, this gpo have a diffrent set of password policy, I run the > RSOP on the server under that OU, and I got the new set of password policy > that is linked to this OU. > So, Can I use a diffrent password policy in diffrent OU's ? > or, I missing somthing? > > thanks > > Lior > </span> Quote
Guest לי×Âור.פ Posted April 28, 2008 Posted April 28, 2008 Hi I didn't anderstand your answer, can U pleas explain broadly, the password policy is on the computer section, when u wrote " For domain accounts, the domain level password policy still applies", the computer object account are domain accounts, so what did u mean? Lior "Dobromir Todorov" wrote: <span style="color:blue"> > You can - but for accounts that reside in the local SAM databases of > computers in that OU. You will certainly notice that it only applies to > computers, and not to users. For domain accounts, the domain level password > policy still applies. > > -- > --- > HTH, > Dobromir > > Learn more about Security and Identity Management: > Visit http://www.iamechanics.com > > "?????.?" <@discussions.microsoft.com> wrote in message > news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...<span style="color:green"> > > Hi > > > > As far as I know there can be only one password policy. > > I configured the main GPO in the root for specific password policy, I have > > an OU with blocked inheritance is checked, and I created a new gpo and > > linked > > it to this OU, this gpo have a diffrent set of password policy, I run the > > RSOP on the server under that OU, and I got the new set of password policy > > that is linked to this OU. > > So, Can I use a diffrent password policy in diffrent OU's ? > > or, I missing somthing? > > > > thanks > > > > Lior > > </span> > > > </span> Quote
Guest Roger Abell [MVP] Posted April 28, 2008 Posted April 28, 2008 Dobromir stated correctly that prior to Windows 2008 domains there is only one account and password policy for domain accounts. If one sets these at a different level (not at domain level) such as your case on an OU, then the account and password policies will have impact on machine local accounts defined on the computers in that OU, which is why you were seeing what you report in the GP results for machines in that OU. Roger "?????.?" <@discussions.microsoft.com> wrote in message news:450C94D5-9E3F-4637-AA0F-815985FF4022@microsoft.com...<span style="color:blue"> > Hi > I didn't anderstand your answer, can U pleas explain broadly, the password > policy > is on the computer section, when u wrote " For domain accounts, the domain > level password policy still applies", the computer object account are > domain > accounts, so what did u mean? > > Lior > > "Dobromir Todorov" wrote: ><span style="color:green"> >> You can - but for accounts that reside in the local SAM databases of >> computers in that OU. You will certainly notice that it only applies to >> computers, and not to users. For domain accounts, the domain level >> password >> policy still applies. >> >> -- >> --- >> HTH, >> Dobromir >> >> Learn more about Security and Identity Management: >> Visit http://www.iamechanics.com >> >> "?????.?" <@discussions.microsoft.com> wrote in message >> news:120460DB-2E9D-41B4-BD51-21A8FEDCFAED@microsoft.com...<span style="color:darkred"> >> > Hi >> > >> > As far as I know there can be only one password policy. >> > I configured the main GPO in the root for specific password policy, I >> > have >> > an OU with blocked inheritance is checked, and I created a new gpo and >> > linked >> > it to this OU, this gpo have a diffrent set of password policy, I run >> > the >> > RSOP on the server under that OU, and I got the new set of password >> > policy >> > that is linked to this OU. >> > So, Can I use a diffrent password policy in diffrent OU's ? >> > or, I missing somthing? >> > >> > thanks >> > >> > Lior >> ></span> >> >> >> </span></span> Quote
Guest joachim@liikamaa.se Posted April 30, 2008 Posted April 30, 2008 Have a look at http://www.specopssoft.com/products/specopspasswordpolicy at the Specops Password Policy product. It will cover your needs. Regards Joachim Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.