Applying password policy

dmw

I just want to verify something I read but wasn't positive on. Do password policies apply domain wide? In other words I can specify a password policy in an OU will that always be ignored and the either the Default domain policy used?

Thanks

blargoe

Password policy are applied at the domain level. Anything you specify at the OU level would be ignored.

eurotrash

Password policies must be applied at domain level in order to affect domain accounts.
Password policies applied at OU/site level affect only local accounts.

dmw

Thanks

sprkymrk

_omni_ wrote:

Password policies must be applied at domain level in order to affect domain accounts. .

In order to affect ALL domain accounts, that is true.

_omni_ wrote:

Password policies applied at OU/site level affect only local accounts.

Passwords policies applied at the OU/Site level affect all user accounts that reside in that OU/Site. If that's what you meant by "local" accounts please excuse me. To me, local accounts are specific to a computer and not normally used in a domain environment.

blargoe wrote:

Password policy are applied at the domain level. Anything you specify at the OU level would be ignored.

There are variables. However, remember the order in which Group Policy is applied - Local, Site, Domain, OU. Therefore if you specify different password policies at the OU level they will over ride policies at the Domain level. The variables include things like "deny" permissions on applying group policy, a domain admin checking the "no override" setting on a GPO, and "Block Policy Inheritence".

royal

sprkymrk, you are mistaken. The password policy is the 1 policy that does not inherit these characteristics due to the reason I speak of in the next sentence. There can ONLY be 1 password policy on a domain. This policy MUST be applied in the root container of the domain (same location the Default Domain Policy) is applied.

eurotrash

@sprkymrk: What?? Give me proof that password policies apply to domain accounts at OU/site level.

Danman32

That's a potential test question, where a group of engineers want their own password policy. The answer is to make a child domain for them and apply their alternate password policy to their domain.

Somewhere in one of my study books, they incorrectly diverted to stating password policies could be overridden. I forget the wording and the source. It may have been they were referring to local accounts on individual machines however.

sprkymrk

icroyal wrote:

sprkymrk, you are mistaken. The password policy is the 1 policy that does not inherit these characteristics due to the reason I speak of in the next sentence. There can ONLY be 1 password policy on a domain. This policy MUST be applied in the root container of the domain (same location the Default Domain Policy) is applied.

I stand corrected... That really is news to me!
Thanks.

sprkymrk

Danman32 wrote:

That's a potential test question, where a group of engineers want their own password policy. The answer is to make a child domain for them and apply their alternate password policy to their domain.

Good to know, thanks danman.

SWM

I had a MS question on this in my actual exam. One to look out for!

sprkymrk

That's why I like this site so much - lot's of smart folks out there. I honestly don't remember ever seeing this information before, so I checked out microsoft.com via google and here is an excerpt from the first hit:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx

Storing Password Policy Information
Before implementing password policies, you need to understand how password policy configuration information is stored. This is because the mechanisms for storing password policy limit the number of different password policies you can implement and affect how you apply your password policy settings.

There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on stand-alone computers. Computers that are members of a domain also have a local account database, but most organizations that have deployed Active Directory domains require their users to log on to their computers and the network by using domain-based accounts. Consequently, if you specify a minimum password length of 14 characters for a domain, all users in the domain must use passwords of 14 or more characters when they create new passwords. To establish different requirements for a specific set of users, you must create a new domain for their accounts.

Active Directory domains use GPOs to store a wide variety of configuration information, including password policy settings. Although Active Directory is a hierarchical directory service that supports multiple levels of organizational units (OUs) and multiple GPOs, password policy settings for the domain must be defined in the root container for the domain. When the first domain controller is created for a new Active Directory domain, two GPOs are automatically created: the Default Domain Policy GPO and the Default Domain Controller Policy GPO. Default Domain Policy is linked to the root container. It contains a few critical domain-wide settings including the default password policy settings. Default Domain Controller Policy is linked to the Domain Controllers OU and contains initial security settings for domain controllers.

It is a best practice to avoid modifying these built-in GPOs. If you need to apply password policy settings that diverge from the default settings, you should create a new GPO instead and link it to the root container for the domain, or to the Domain Controllers OU and assign it a higher priority than the built-in GPO. If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence.

Wow! Again, thanks for the correction to my incorrect correction everyone.

_omni_ wrote:

@sprkymrk: What?? Give me proof that password policies apply to domain accounts at OU/site level.

Watch it _omni_, one of these days I am going to be right about something, and when that day comes I am going to grab my walking stick, put in my false teeth, turn up my hearing aid and tell our grandkids that I finally got one over on old _omni_!

eurotrash

LOL!!

Danman32

Well, both of you are correct for being skeptical. It is OK to be skeptical, that leads to research of the truth. Being cynical however, is being closed minded about searching for the truth and possibly finding out you were wrong.

I commend you both for the challenges, and I especially commend you Sprkymrk for doing your research at the most authorative source.