none
Active Directory Password Policy

    Question

  • I have multiple domains (4) in my environment.  I have 1 email domain of something@xyz.com  We have users that log into xyz.com as their home domain and then we have users the log into the 3 other domains as their home domain.  Everyones email resides on domain xyz.com.  We have an Exchange server 2013 and migrating to 2016 within 2 weeks.  We want to apply a password policy to all logon domains but not to email accounts that logon to another domain other than xyz.com.  Example user A logs on domain abc.com and their email resides on domain xyz.com, I want the password policy of abc.com to apply to that user but do not want the password policy of xyz.com to apply to that user because they never login to xyz.com domain.  They only use xyz.com for their email.  Is this possible and if so how?

    Thanks,

    Kevin

    Tuesday, December 20, 2016 9:04 PM

All replies

  • Hi Kevin,

    Welcome to our forum.

    As I am concerned, when user is in abc.com, it use abc.com domain’s authentication to connect to xyz.com, if that, we could use password policy to achieve it. If we type authentication when it connect to xyz.com, it could use password policy for other 3 domains, but it could be applied to domain, which user is in xyz.com.

    If there are any questions or issues, please be free to let me know.

    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Wednesday, December 21, 2016 9:28 AM
    Moderator
  • Hi Kevin

    Is it a single Active Directory and you are using domain UPN suffix for users to login as abc.com or xyz.com? Or it is multi-tenancy (hosted) exchange environment? 

    Either case, there is nothing to do with exchange server, on password policy. You have to do it at Active Directory and Group Policy level.


    Wednesday, December 21, 2016 10:05 AM
  • Thank you Jim for the reply, user (A) logs into abc.com domain to authenticate, their email and exchange server is on xyz.com domain.  Therefore I do not want the password policy of xyz.com to apply to user (A) when they authenticate to abc.com.  Basically I do not want their email to be prompting them for a password change because their email is on xyz.com domain.  Hope that makes sense.

    Thanks,

    Kevin


    Wednesday, December 21, 2016 1:05 PM
  • Thank you for the reply,

    So you are saying that the password policy for the domain xyz.com wouldn't apply to any email accounts, just to users when they authenticate to xyz.com through a windows login?  Correct?  If that is the case then I'm good with that.

    Thanks,

    Kevin

    Wednesday, December 21, 2016 1:07 PM
  • Hi

    Test with a single user first and you will get to know, before you apply password policy for all.

    Wednesday, December 21, 2016 2:41 PM
  • Thanks I will try the single user test.  Just wish Microsoft would be clear on on whether this method would work.

    Thank you,

    Kevin

    Friday, December 23, 2016 7:09 PM
  • Hi Kevin,

    When user is in abc.com and launch outlook, if they didn’t type authentication for xyz.com, we could not use password policy for abc.com, because Windows and outlook use same authentication. Instead. When user is in abc.com and launch outlook, if they need to type authentication for xyz.com, then we could use password for abc.com, because Windows and outlook use separated authentication.

    If there are any questions or issues, please be free to let me know.            


    Best Regards,
    Jim Xu
    TechNet Community Support


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 26, 2016 2:23 AM
    Moderator
  • Hello

    You can use fine-grained password policies to specify multiple password policies in a single domain
    and apply different restrictions for password and account lockout policies to different sets of users in
    a domain.

    For example, you can apply stricter settings to privileged accounts and less strict settings to the
    accounts of other users. In other cases, you might want to apply a special password policy for
    accounts whose passwords are synchronized with other data sources.

    Fine-grained password policies apply only to global security groups and user objects. (inetOrgPerson
    objects if they are used instead of user objects). Fine-grained password policy cannot be applied to
    an organizational unit (OU) directly.

    As per your question, you can create different security groups of different domain users and apply this policy on those groups.

    https://gallery.technet.microsoft.com/How-to-Create-Gine-Grained-6b0b1aa1

    Kindly click "Mark as Answer" on the post that helps you, this can be beneficial to other community members reading this thread.

    Regards.

    H.shakir



    • Edited by H Shakir Monday, December 26, 2016 5:34 AM
    • Proposed as answer by jim-xuModerator Friday, December 30, 2016 9:53 AM
    Monday, December 26, 2016 5:31 AM
  • Hi Kevin

    Any update? 

    Monday, December 26, 2016 7:09 AM