none
different Password policies for different departments

    Question

  • I want to create a new password policy in the domain, but i don't want to apply it on the whole domain one time i.e: I want to apply it on different OUs (today on IT OU the next day finance ...etc)

    My questions are :

    1) as the password policies are in computer configuration should i move the computer accounts of the targeted users from computers container to their OU to apply  the policy or will it be enough to move the users only?

    2) should i create a linked policy for each ou or what??

    Thanks

    Sunday, September 13, 2015 11:21 AM

Answers

  • Hello,

    normally only the DCs are effected when raising the functional levels. If you have some concerns built a lab with your major applications, server roles and make a test BEFORE.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Monday, September 14, 2015 6:57 PM
  • Your best bet would be to do the following...

    - take system state backups of all of your DC's

    - Make sure that replicaiton and DC health is good BEFORE and AFTER raising the fucntional level (use the below commands)

    repadmin /replsum
    repadmin /showrepl
    repadmin /bridgeheads
    dcdioag /v

    Once you have verified this then you can raise the fucntional level.

    Just another tid-bit of info. In order to use the FGPP you just need to upgrade the domain funcitonal level to 2008. Make sure that if you do, do the DOMAIN first, test, then do the FOREST second. If you raise the Forest first it will automatically raise all domains within the forest automatically.

    Also if you plan on going straight to 2008R2 fucntional level you can roll back to 2008, if you have not enabled the "recycle bin" feature in 2008R2.

    Will.


    Tuesday, September 15, 2015 4:06 PM

All replies

  • Hi

     You could configure Fine-Grained Password Policies to define different password and account lockout policies for different sets of users in a domain,

    Check these artilcles about Fine-Grained Password Policies

    https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

    http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Sunday, September 13, 2015 12:30 PM
  • Hello,

    1. this will not work for the domain. Password policyand account lockout policy MUST be set on domain level. Youcan use already mentioned FGPP for user accounts and security groups, NOT OUs!!!, to have a different set of settings.

    2. as stated above security groups must be used or user accounts.In your case create a so called shadow group, a security group containing all user accounts where you need a different set of settingsfor. With this one configure the FGPP.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Sunday, September 13, 2015 1:28 PM
  • The problem with the FGPP is that our domain functional level is 2003, which doesn't support fgpp
    is there any other way to do this
    Sunday, September 13, 2015 2:55 PM
  • Am 13.09.2015 schrieb Ibra86:
    Hi,

    The problem with the FGPP is that our domain functional level is 2003, which doesn't support fgpp
    is there any other way to do this

    Than you should upgrade to a higher level if possible. Otherwise you can buy products like:
    http://www.nfrontsecurity.com/
    or
    http://www.specopssoft.com/product/specops-password-policy/

    HTH
    Norbert


    Dilbert's words of wisdom #18:
    Never argue with an idiot. They drag you down to their level then beat you with experience.
    nntp-bridge Zugriff auf die MS Foren wieder möglich: https://communitybridge.codeplex.com/

    Sunday, September 13, 2015 5:43 PM
  • "The problem with the FGPP is that our domain functional level is 2003, which doesn't support fgpp
    is there any other way to do this"

    As you have stated you are on 2003 funcitonal level so this will not work. Natively, the only other way you can have different password policies for different accounts in a 2003 domain is by creating a new child domain where you can then set another password policy for users in the Child domain which differ from the parent domain.

    Personall it is much easier and "supported" to upgrade to 2008 which will then give you the feature of FGPP after you rasie the domain functional level of 2008 or higher.

    Will.

    Sunday, September 13, 2015 7:35 PM
  • The problem with the FGPP is that our domain functional level is 2003, which doesn't support fgpp
    is there any other way to do this

    Hello,

    no, not with builtin option. There may exist some 3rd party tools that bring the functions.

    But as Windows Server 2003 is out of support now, go on with new the OS version and all its advantages.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Sunday, September 13, 2015 8:29 PM
  • All my domain controllers are windows server 2008 R2. So i think it will be simpler to raise the functional level.

    are there any concerns when raising the functional level other than the DCs??

    Monday, September 14, 2015 6:45 PM
  • Hello,

    normally only the DCs are effected when raising the functional levels. If you have some concerns built a lab with your major applications, server roles and make a test BEFORE.


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    Monday, September 14, 2015 6:57 PM
  • Your best bet would be to do the following...

    - take system state backups of all of your DC's

    - Make sure that replicaiton and DC health is good BEFORE and AFTER raising the fucntional level (use the below commands)

    repadmin /replsum
    repadmin /showrepl
    repadmin /bridgeheads
    dcdioag /v

    Once you have verified this then you can raise the fucntional level.

    Just another tid-bit of info. In order to use the FGPP you just need to upgrade the domain funcitonal level to 2008. Make sure that if you do, do the DOMAIN first, test, then do the FOREST second. If you raise the Forest first it will automatically raise all domains within the forest automatically.

    Also if you plan on going straight to 2008R2 fucntional level you can roll back to 2008, if you have not enabled the "recycle bin" feature in 2008R2.

    Will.


    Tuesday, September 15, 2015 4:06 PM