How to override default domain password policy 1

[tuliphead]

I am trying to set up a default domain password policy. I have disablet the default domain policy at the domain root, and made a new one which I called Default Domain Password Policy. I then configured it with the options of my choice, choosed the "no override" option and then went on to the security tab.

Authenticated Users has the apply group policy right.
Domain Administrators, Enterprise Administrators, administrator@mydomain.com + a couple of service-accounts I want to keep on the outside of the policy has been set with the deny apply group policy right.

I tried to change the domain\administrator password, but got a message that my password did not comply with the complexity rules. I did this with purpouse of course, cause I wanted to test if the adminstrator accounts really was kept outside the policy.

Have I done anything wrong? Missed something? I guess so ... but I thought the deny apply group policy right would do the trick for the users/groups that I didn´t want to apply this group policy for.

Any tips would be appreciated.

 

[aftertaf]

domain wide password settings are global to the whole domain...
you can't have different setups or exclude some from them.
(AFAIK)

Aftertaf

I just want something I can never have...

 

[tuliphead]

Why do I have the option to deny the apply group policy right then? If it is not an option in the first place?

Do I really need to run this on OU-level to get the result I want? I thought this was the whole idea with the security tab in the first place?

 

[aftertaf]

you are totally right on all those aspects....
except the password and security policy applied on a domain level.

If you apply one on a domain level, it will apply to all domain accounts. If you apply one to an OU, it will have no effect (except on PCs in OU, concerning their local accounts...)

you have found the ONE exception to the rules and procedures you mention and question

Aftertaf

I just want something I can never have...

 

[tuliphead]

So if I want to enforce this to all client computers in my domain, then I need to create an OU and place all client computers inside of it and then apply the policy to that OU?

The password complexity rules of a domain wide password policy aint that bad to live with. In fact it would be an advantage. But I need to ensure that the few accounts mentioned wont have passwords that have a date-stamp on them ... where they need to be changed after a certain period of time.

If I set the "Password never expires" option on AD-user-level, then the domain administrator password should never need to be changed, right?

 

[aftertaf]

yes for the timestamp thing, but no for the client computers OU...

a domain user password policy is applied to the domain in a GPO on a domain level,

if applied to an OU, it will not affect domain user accounts, but only local SAM accounts on the machines affected.

Per domain, you can only have one, domainwide, password policy.

This is a valid cause of people having separate domains sometimes.....

Maybe you should setup a root domain and use the root admin account to administer the child domain....

Aftertaf

I just want something I can never have...