Options
Applying password policy
dmw
Member Posts: 81 ■■□□□□□□□□
I just want to verify something I read but wasn't positive on. Do password policies apply domain wide? In other words I can specify a password policy in an OU will that always be ignored and the either the Default domain policy used?
Thanks
Thanks
Rebooting computers since 1999
Comments
-
Options
blargoe
Member Posts: 4,174 ■■■■■■■■■□
Password policy are applied at the domain level. Anything you specify at the OU level would be ignored.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
Optionseurotrash
Member Posts: 817
Password policies must be applied at domain level in order to affect domain accounts.
Password policies applied at OU/site level affect only local accounts.witty comment -
Options
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
In order to affect ALL domain accounts, that is true._omni_ wrote:Password policies must be applied at domain level in order to affect domain accounts. .
Passwords policies applied at the OU/Site level affect all user accounts that reside in that OU/Site. If that's what you meant by "local" accounts please excuse me. To me, local accounts are specific to a computer and not normally used in a domain environment._omni_ wrote:Password policies applied at OU/site level affect only local accounts.
There are variables. However, remember the order in which Group Policy is applied - Local, Site, Domain, OU. Therefore if you specify different password policies at the OU level they will over ride policies at the Domain level. The variables include things like "deny" permissions on applying group policy, a domain admin checking the "no override" setting on a GPO, and "Block Policy Inheritence".blargoe wrote:Password policy are applied at the domain level. Anything you specify at the OU level would be ignored.All things are possible, only believe. -
Options
royal
Member Posts: 3,352 ■■■■□□□□□□
sprkymrk, you are mistaken. The password policy is the 1 policy that does not inherit these characteristics due to the reason I speak of in the next sentence. There can ONLY be 1 password policy on a domain. This policy MUST be applied in the root container of the domain (same location the Default Domain Policy) is applied.“For success, attitude is equally as important as ability.” - Harry F. Banks -
OptionsDanman32
Member Posts: 1,243
That's a potential test question, where a group of engineers want their own password policy. The answer is to make a child domain for them and apply their alternate password policy to their domain.
Somewhere in one of my study books, they incorrectly diverted to stating password policies could be overridden. I forget the wording and the source. It may have been they were referring to local accounts on individual machines however. -
Optionssprkymrk
Member Posts: 4,884 ■■■□□□□□□□
I stand corrected... That really is news to me!icroyal wrote:sprkymrk, you are mistaken. The password policy is the 1 policy that does not inherit these characteristics due to the reason I speak of in the next sentence. There can ONLY be 1 password policy on a domain. This policy MUST be applied in the root container of the domain (same location the Default Domain Policy) is applied.
Thanks.All things are possible, only believe. -
Optionssprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Good to know, thanks danman.Danman32 wrote:That's a potential test question, where a group of engineers want their own password policy. The answer is to make a child domain for them and apply their alternate password policy to their domain.
All things are possible, only believe. -
Options
SWM
Member Posts: 287
I had a MS question on this in my actual exam. One to look out for!
Isn't Bill such a Great Guy!!!! -
Optionssprkymrk
Member Posts: 4,884 ■■■□□□□□□□
That's why I like this site so much - lot's of smart folks out there. I honestly don't remember ever seeing this information before, so I checked out microsoft.com via google and here is an excerpt from the first hit:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxStoring Password Policy Information
Before implementing password policies, you need to understand how password policy configuration information is stored. This is because the mechanisms for storing password policy limit the number of different password policies you can implement and affect how you apply your password policy settings.
There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on stand-alone computers. Computers that are members of a domain also have a local account database, but most organizations that have deployed Active Directory domains require their users to log on to their computers and the network by using domain-based accounts. Consequently, if you specify a minimum password length of 14 characters for a domain, all users in the domain must use passwords of 14 or more characters when they create new passwords. To establish different requirements for a specific set of users, you must create a new domain for their accounts.
Active Directory domains use GPOs to store a wide variety of configuration information, including password policy settings. Although Active Directory is a hierarchical directory service that supports multiple levels of organizational units (OUs) and multiple GPOs, password policy settings for the domain must be defined in the root container for the domain. When the first domain controller is created for a new Active Directory domain, two GPOs are automatically created: the Default Domain Policy GPO and the Default Domain Controller Policy GPO. Default Domain Policy is linked to the root container. It contains a few critical domain-wide settings including the default password policy settings. Default Domain Controller Policy is linked to the Domain Controllers OU and contains initial security settings for domain controllers.
It is a best practice to avoid modifying these built-in GPOs. If you need to apply password policy settings that diverge from the default settings, you should create a new GPO instead and link it to the root container for the domain, or to the Domain Controllers OU and assign it a higher priority than the built-in GPO. If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence.
Wow! Again, thanks for the correction to my incorrect correction everyone.
Watch it _omni_, one of these days I am going to be right about something, and when that day comes I am going to grab my walking stick, put in my false teeth, turn up my hearing aid and tell our grandkids that I finally got one over on old _omni_!_omni_ wrote:@sprkymrk: What?? Give me proof that password policies apply to domain accounts at OU/site level.
All things are possible, only believe. -
OptionsDanman32
Member Posts: 1,243
Well, both of you are correct for being skeptical. It is OK to be skeptical, that leads to research of the truth. Being cynical however, is being closed minded about searching for the truth and possibly finding out you were wrong.
I commend you both for the challenges, and I especially commend you Sprkymrk for doing your research at the most authorative source.
Give me proof that password policies apply to domain accounts at OU/site level. 