Thursday, December 01, 2011 4:36 PM
Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I'm under the impression it can only be applied to either a security group or an individual user.
Thursday, December 01, 2011 8:44 PMHowdie!Am 01.12.2011 17:36, schrieb greatbear302:> Is it possible to apply a complex password policy to an OU instead of> entire domain (Windows 2008 R2). I'm under the impression it can only be> applied to either a security group or an individual user.Yes, you are correct. Users and Groups it is for Fine-grained PasswordPolicies.Florian
The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. If anyone should be allowed to mark a response as an "answer", it should be the thread creator. No one else.
Thursday, December 01, 2011 10:41 PMModeratorI beleive you are referering to PSC and PSO.The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups.Groups offer better flexibility for managing various sets of users than OUs.For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.Fine-grained password policies apply only to user objects and global security groups. They cannot be applied to Computer objects.For more info, please see below articleAD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
- Edited by Santosh BhandarkarMicrosoft Community Contributor, Moderator Thursday, December 01, 2011 10:43 PM
- Marked As Answer by Lawrence LvMicrosoft Contingent Staff, Moderator Monday, December 05, 2011 1:46 AM
Friday, December 02, 2011 1:36 AM
Here is a link to how you setup find grain password policy... However you can only apply it to a Security Group. http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/
Alan Burchill (MVP)
Friday, December 02, 2011 7:08 AM
For fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group.
Find the step by step info.
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
- Marked As Answer by Lawrence LvMicrosoft Contingent Staff, Moderator Monday, December 05, 2011 1:47 AM