How to apply fine grained password policy to an OU

All replies

• 

  

  0

  Sign in to vote

  Hello,

  FGPP are NOT applied to OUs, only to users or security groups. In your case create a security group that conatins all accounts that should get the policy and use that security group for the policy. Thats it.

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  • Proposed as answer by Grégory LUCAND Monday, June 18, 2012 10:48 AM

  Monday, June 18, 2012 10:47 AM
• 

  

  0

  Sign in to vote

  But, what about shadow groups? I heard that by creating a shadow group for the OU using the dsquery user "DN of the OU" dsmod group "DN of the global group" -chmbr command, FGPP can be applied to an OU.

  ---

  Thanks and Regards, Radhakrishnan

  Monday, June 18, 2012 10:51 AM
• 

  

  0

  Sign in to vote

  You can create OU or use existing OU and create global group add required user to this group and  link Password settings object ( PSO ) to the Global Group.
  http://windowsarchitecture.wordpress.com/2010/11/22/windows-2008-fine-grained-password-policies/
  
  More on FGPP refer below link:
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/4ba40c5c-6eb8-4f3f-af22-7a28e9f9280c
  
  Hope this helps

  ---

  Best Regards,
  
  Sandesh Dubey.
  
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  Monday, June 18, 2012 10:59 AM
• 

  

  0

  Sign in to vote

  Shadow groups are not OU but its way to automate the group membership for the FGPP to be applied. Using shadow group requires scripting or schedule task to be configured for update of the group members.

  http://policelli.com/blog/archive/2008/01/15/manage-shadow-groups-in-windows-server-2008/

  http://www.windowsecurity.com/articles/configuring-granular-password-settings-windows-server-2008-part2.html

  More on the FGPP

  http://awinish.wordpress.com/2010/11/09/ad-implementing-fine-grained-policy-in-w2k8/

  ---

  Awinish Vishwakarma - MVP - Directory Services

  My Blog: awinish.wordpress.com

  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  Monday, June 18, 2012 11:18 AM
• 

  

  0

  Sign in to vote

  Additionally Refer below link to understand what are shadow groups.

  http://www.windowsitpro.com/article/security/password-policy-active-directory-142692

  http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

  Regards,

  _Prashant_

  ---

  MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  
  

  • Edited by Prashant Girennavar Monday, June 18, 2012 11:24 AM

  Monday, June 18, 2012 11:23 AM
• 

  

  0

  Sign in to vote

  What is the difference between creating a Global security group, add all the users of an OU to that group and apply the FGPP to the group and creating a shadow group and applying the FGPP to the shadow group. 

  I don't understand why do we need shadow groups at all?

  ---

  Thanks and Regards, Radhakrishnan

  Monday, June 18, 2012 11:38 AM
• 

  

  0

  Sign in to vote

  In global security group we can have member from any OU who need to be covered under FGPP where as shadow group is a group used to have all the users from particularity department like finance or sales guy in one group & it is automated to either add or delete the group membership automatically using scripts(powershell or vb-script) or schedule task.

  ---

  Awinish Vishwakarma - MVP - Directory Services

  My Blog: awinish.wordpress.com

  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  • Marked as answer by radhakrishnan88 Monday, June 18, 2012 12:07 PM

  Monday, June 18, 2012 11:42 AM
• 

  

  0

  Sign in to vote

  Hello,

  shadow group is NO existing group in AD UC, it is a name for having a security group used for the FGPP. So do not care about the "shadow", there must be some name to reflect the security group "shadowing" the accounts on the OU where it should work for.

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  Monday, June 18, 2012 11:43 AM
• 

  

  0

  Sign in to vote

  Here's an example of an OU shadow script:

  http://www.open-a-socket.com/index.php/2013/09/03/ou-shadow-script/

  ---

  Tony www.open-a-socket.com

  Thursday, October 4, 2018 9:21 PM
• 

  

  0

  Sign in to vote

  You can achieve this with ActivePasswords by WizardSoft. Very affordable and it gives you ultimate control over password settings for different groups and OUs.

  Friday, August 7, 2020 10:07 AM