Remove From My Forums

How to implement the different password policy on a particular OU

Question

0

Sign in to vote

Hi Team,

Can I implement the different password policy on a different OU in win 2008 R2

I have Created a policy through GPMC and apply this on

Computer Configuration -> Windows Setting -> Security Setting -> Account Policy -> Password Policy

But it is not working.

Any fix for this.

Subs

Friday, July 29, 2011 12:49 PM

Reply

|

Quote

Answers

0

Sign in to vote
No, you can't. In windows 2008 you can create different password policy using groups not OU.

You can use fine-grained password policy in windows 2008, but you can't use it as OU level segregation.

http://awinish.wordpress.com/2010/11/09/ad-implementing-fine-grained-policy-in-w2k8/

Regards

Awinish Vishwakarma

MVP-Directory Services

MY BLOG: awinish.wordpress.com

This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Marked as answer by VLCC Monday, August 01, 2011 4:37 AM
Friday, July 29, 2011 1:06 PM

Reply

|

Quote

Moderator

0

Sign in to vote
In Windows 2008 or R2, you can use Fine-grained password policy. But It cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.

Here are some reference materials:

http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

Blogs - http://blogs.sivarajan.com/
Articles - http://www.sivarajan.com/publications.html
Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
This posting is provided AS IS with no warranties,and confers no rights.
- Marked as answer by VLCC Monday, August 01, 2011 4:37 AM
Friday, July 29, 2011 2:07 PM

Reply

|

Quote

Moderator

0

Sign in to vote
Here some additional links you can reference for Password Policy settings and troubleshooting...

How to Implement an Active Directory Password Policy
http://www.anitkb.com/2010/03/how-to-implement-active-directory.html

How Troubleshoot Active Directory Password Policy Settings
http://www.anitkb.com/2010/08/how-to-troubleshoot-active-directory.html

Visit anITKB.com, an IT Knowledge Base.
Follow me on Facebook.
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
Friday, July 29, 2011 2:28 PM

Reply

|

Quote

0

Sign in to vote
Hello,

Can I implement the different password policy on a different OU in win 2008 R2

On OUs no.

You can proceed like that:

Add users of each OU in a separate group
Use AD DS Fine-grained password policies to apply a password policy on each group

More here: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

Here, you should have 2008 or hiher as DFL.

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise Administrator
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
Saturday, July 30, 2011 3:58 PM

Reply

|

Quote

0

Sign in to vote
Hello,

you can achieve this with fine grained password policy but NOT with OUs, except with users or security groups.

Your described way belong to local user accounts on the machines and NOT to domain users.

http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
Saturday, July 30, 2011 6:06 PM

Reply

|

Quote

All replies

0

Sign in to vote
No, you can't. In windows 2008 you can create different password policy using groups not OU.

You can use fine-grained password policy in windows 2008, but you can't use it as OU level segregation.

http://awinish.wordpress.com/2010/11/09/ad-implementing-fine-grained-policy-in-w2k8/

Regards

Awinish Vishwakarma

MVP-Directory Services

MY BLOG: awinish.wordpress.com

This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Marked as answer by VLCC Monday, August 01, 2011 4:37 AM
Friday, July 29, 2011 1:06 PM

Reply

|

Quote

Moderator

0

Sign in to vote
In Windows 2008 or R2, you can use Fine-grained password policy. But It cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.

Here are some reference materials:

http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

Blogs - http://blogs.sivarajan.com/
Articles - http://www.sivarajan.com/publications.html
Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
This posting is provided AS IS with no warranties,and confers no rights.
- Marked as answer by VLCC Monday, August 01, 2011 4:37 AM
Friday, July 29, 2011 2:07 PM

Reply

|

Quote

Moderator

0

Sign in to vote
Here some additional links you can reference for Password Policy settings and troubleshooting...

How to Implement an Active Directory Password Policy
http://www.anitkb.com/2010/03/how-to-implement-active-directory.html

How Troubleshoot Active Directory Password Policy Settings
http://www.anitkb.com/2010/08/how-to-troubleshoot-active-directory.html

Visit anITKB.com, an IT Knowledge Base.
Follow me on Facebook.
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
Friday, July 29, 2011 2:28 PM

Reply

|

Quote

0

Sign in to vote

See this forum post regarding Shadow Groups:

http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/thread/6622aad7-ddcd-4000-8ed5-13465299bd6b/

Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/

Friday, July 29, 2011 4:26 PM

Reply

|

Quote

0

Sign in to vote
Hello,

Can I implement the different password policy on a different OU in win 2008 R2

On OUs no.

You can proceed like that:

Add users of each OU in a separate group
Use AD DS Fine-grained password policies to apply a password policy on each group

More here: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

Here, you should have 2008 or hiher as DFL.

This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise Administrator
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
Saturday, July 30, 2011 3:58 PM

Reply

|

Quote

0

Sign in to vote
Hello,

you can achieve this with fine grained password policy but NOT with OUs, except with users or security groups.

Your described way belong to local user accounts on the machines and NOT to domain users.

http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
Saturday, July 30, 2011 6:06 PM

Reply

|

Quote

0

Sign in to vote

thanks !!!
Subs

Monday, August 01, 2011 4:42 AM

Reply

|

Quote

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

How to implement the different password policy on a particular OU

Question

Answers

All replies