Answered by:
How to implement the different password policy on a particular OU
-
Hi Team,
Can I implement the different password policy on a different OU in win 2008 R2
I have Created a policy through GPMC and apply this on
Computer Configuration -> Windows Setting -> Security Setting -> Account Policy -> Password Policy
But it is not working.
Any fix for this.
Subs
Question
Answers
-
No, you can't. In windows 2008 you can create different password policy using groups not OU.
You can use fine-grained password policy in windows 2008, but you can't use it as OU level segregation.
http://awinish.wordpress.com/2010/11/09/ad-implementing-fine-grained-policy-in-w2k8/
Regards
Awinish Vishwakarma
MY BLOG: awinish.wordpress.com
This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Marked as answer by VLCC Monday, August 01, 2011 4:37 AM
-
In Windows 2008 or R2, you can use Fine-grained password policy. But It cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.
Here are some reference materials:
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX
Blogs - http://blogs.sivarajan.com/
Articles - http://www.sivarajan.com/publications.html
Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
This posting is provided AS IS with no warranties,and confers no rights.- Marked as answer by VLCC Monday, August 01, 2011 4:37 AM
-
Here some additional links you can reference for Password Policy settings and troubleshooting...
How to Implement an Active Directory Password Policy
http://www.anitkb.com/2010/03/how-to-implement-active-directory.htmlHow Troubleshoot Active Directory Password Policy Settings
http://www.anitkb.com/2010/08/how-to-troubleshoot-active-directory.htmlVisit anITKB.com, an IT Knowledge Base.
Follow me on Facebook.- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
-
Hello,
Can I implement the different password policy on a different OU in win 2008 R2
On OUs no.
You can proceed like that:
- Add users of each OU in a separate group
- Use AD DS Fine-grained password policies to apply a password policy on each group
More here: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Here, you should have 2008 or hiher as DFL.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise Administrator- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
-
Hello,
you can achieve this with fine grained password policy but NOT with OUs, except with users or security groups.
Your described way belong to local user accounts on the machines and NOT to domain users.
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
All replies
-
No, you can't. In windows 2008 you can create different password policy using groups not OU.
You can use fine-grained password policy in windows 2008, but you can't use it as OU level segregation.
http://awinish.wordpress.com/2010/11/09/ad-implementing-fine-grained-policy-in-w2k8/
Regards
Awinish Vishwakarma
MY BLOG: awinish.wordpress.com
This posting is provided AS-IS with no warranties/guarantees and confers no rights.
- Marked as answer by VLCC Monday, August 01, 2011 4:37 AM
-
In Windows 2008 or R2, you can use Fine-grained password policy. But It cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.
Here are some reference materials:
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX
Blogs - http://blogs.sivarajan.com/
Articles - http://www.sivarajan.com/publications.html
Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
This posting is provided AS IS with no warranties,and confers no rights.- Marked as answer by VLCC Monday, August 01, 2011 4:37 AM
-
Here some additional links you can reference for Password Policy settings and troubleshooting...
How to Implement an Active Directory Password Policy
http://www.anitkb.com/2010/03/how-to-implement-active-directory.htmlHow Troubleshoot Active Directory Password Policy Settings
http://www.anitkb.com/2010/08/how-to-troubleshoot-active-directory.htmlVisit anITKB.com, an IT Knowledge Base.
Follow me on Facebook.- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
-
See this forum post regarding Shadow Groups:
Andreas Hultgren
MCTS, MCITP
http://ahultgren.blogspot.com/ -
Hello,
Can I implement the different password policy on a different OU in win 2008 R2
On OUs no.
You can proceed like that:
- Add users of each OU in a separate group
- Use AD DS Fine-grained password policies to apply a password policy on each group
More here: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Here, you should have 2008 or hiher as DFL.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise Administrator- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
-
Hello,
you can achieve this with fine grained password policy but NOT with OUs, except with users or security groups.
Your described way belong to local user accounts on the machines and NOT to domain users.
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Marked as answer by Arthur_LiMicrosoft contingent staff, Moderator Monday, August 01, 2011 6:45 AM
-