none
Complex Password Policy on an OU

    问题

  • Is it possible to apply a complex password policy to an OU instead of entire domain (Windows 2008 R2). I'm under the impression it can only be applied to either a security group or an individual user.

    2011年12月1日 16:36

答案

全部回复

  • Howdie!
     
    Am 01.12.2011 17:36, schrieb greatbear302:
    > Is it possible to apply a complex password policy to an OU instead of
    > entire domain (Windows 2008 R2). I'm under the impression it can only be
    > applied to either a security group or an individual user.
     
    Yes, you are correct. Users and Groups it is for Fine-grained Password
    Policies.
     
    Florian
     

    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. If anyone should be allowed to mark a response as an "answer", it should be the thread creator. No one else.
    2011年12月1日 20:44
  • I beleive you are referering to PSC and PSO. 
    The Password Settings Container (PSC) object class is created by default under the System container in the domain. It stores the Password Settings objects (PSOs) for that domain. You cannot rename, move, or delete this container.
    PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups.
    Groups offer better flexibility for managing various sets of users than OUs.
    For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.
    Fine-grained password policies apply only to user objects and global security groups. They cannot be applied to Computer objects.
    For more info, please see  below article
    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

    ~Santosh View Santosh  Bhandarkar's profile on LinkedIn
    2011年12月1日 22:41
    版主
  • Here is a link to how you setup find grain password policy... However you can only apply it to a Security Group. http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

     


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill
    2011年12月2日 1:36
  • In addition,

    For fine grated password policy ; you need DLF 2008 and you can apply that policy on a single user and only global security group.

    Find the step by step info.

    http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    2011年12月2日 7:08