What is the best approach domain group policy 1

[psasu]

I need to implement password policy for the entire domain and also disable the control panel using the default domain group policy.
However,some users should not be affected by the control panel policy.What is the best approach to achieve this objective.Do I have to create another group policy object for the control panel policy in addition to the default domain policy and deny apply group policy for a group,which contains the users who should not be affected by the control panel policy

 

[Seaspray0]

You are on the right track. You should create a seperate policy other than the default policy.

You must apply this policy at the domain level, and yes I understand you want a select group(s) that this doesn't apply to but WILL apply to everyone else.

Create a new domain policy that contains your password policy. I recommend 2 months and atleast 7 characters. Don't go overboard or your users will be writing down passwords on post-it's because they are too complex or change too often.

Change the view in active directory to advanced view so you can view all the objects. Go back to your policy and get it's properties. You should now see the security tab (only visible in advanced view). This security tab shows the Access Control List (it works much like the ACL's on files/folders). Everyone group should have read and apply policy. Good. Add the group(s) you wish this policy NOT to apply to onto the list. Highlight those group(s) and set the DENY button for applying this policy.

The deny will override the apply (just like ACL's for files and folders) so this policy will apply to everyone EXCEPT for those group(s) you have denied it to.

That's about it.

 

[mlichstein]

The deny will override the apply (just like ACL's for files and folders) so this policy will apply to everyone EXCEPT for those group(s) you have denied it to."

No it won't. You can't selectively apply a password policy. It will apply to all users in the domain. The user accounts are stored on the domain controllers, so denying specific user accounts access to that policy will have no effect on the password policy settings.

Denying users the apply group policy permission will only prevent them from getting any other settings that might be in that policy.

 

[psasu]

Seaspray0
Do I have to delete the default doamin group policy and create the 2 different policies.
Another point which confuses me is the domain group policy can be accessed two ways which one is appropriate.
Administrative Tools,active directory users and computers right click the domain select property and then the policy tab.Or select the doamin group policy from the administrative tools

 

[mlichstein]

You should leave the default domain policy where it is. Create a new GPO that contains your password policy, and link it to the domain. Make sure it is at the top of the list.

Again, I need to repeat that there can only be one password policy in the domain. There isn't a way to apply the password settings to some users and not others in the same domain.

 

[psasu]

mlichstein
I understand the concept of the password policy which should apply to the entire domain but what about the disable of the control panel cant I exclude some users from being affected by that policy

 

[mlichstein]

Yes, you can do that but it would be better to put that setting in a different policy. It would also be easier to apply it just to a specific OU, rather than apply it to the entire domain and then filter it. But either way will work.