Default Domain Policy and Password Changes

[ZipperHeadMan]

Hi all,

What would be the implications of deleting the password/lockout policies from the default domain policy in GPO and implementing "new" policies further down the tree to specific OU's within the domain?

Would this work?

If not....how can I apply password policies to a specific OU and not others and not have it affect the entire domain?

Any insight would be greatly appreciated!
Thanks TREE

 

[porkchopexpress]

You can't the only policy that effects domian user accounts is the default domain policy. Password policy can be set at lower levels but will be unaffective.

 

[ZipperHeadMan]

Well that kinda sucks!

 

[porkchopexpress]

Yep it sucks the big one.

That functionality should be introduced in Longhorn server.

 

[monsterjta]

Many sources state that this cannot happen, however, I disagree. Set the password policies in the Default Domain Policy to undefined. Create your new password policy and apply it to an OU, make sure it's at the top of the list in that container and enforce it. This will take precedence.

Have Fun With It! Nothing like having a test environment to test all your crazy ideas...

 

[porkchopexpress]

I've tried that in the past and it only seems to affect local accounts, domain accounts were still unaffected.

 

[porkchopexpress]

ZipperHeadMan if you get that working post back, alot of people have posted here about that in the past and not found an answer.