Applying password policy

dmwdmw Member Posts: 81 ■■□□□□□□□□
I just want to verify something I read but wasn't positive on. Do password policies apply domain wide? In other words I can specify a password policy in an OU will that always be ignored and the either the Default domain policy used?

Thanks
Rebooting computers since 1999

Comments

  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    Password policy are applied at the domain level. Anything you specify at the OU level would be ignored.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • eurotrasheurotrash Member Posts: 817
    Password policies must be applied at domain level in order to affect domain accounts.
    Password policies applied at OU/site level affect only local accounts.
    witty comment
  • dmwdmw Member Posts: 81 ■■□□□□□□□□
    Thanks
    Rebooting computers since 1999
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    _omni_ wrote:
    Password policies must be applied at domain level in order to affect domain accounts. .
    In order to affect ALL domain accounts, that is true.
    _omni_ wrote:
    Password policies applied at OU/site level affect only local accounts.
    Passwords policies applied at the OU/Site level affect all user accounts that reside in that OU/Site. If that's what you meant by "local" accounts please excuse me. To me, local accounts are specific to a computer and not normally used in a domain environment.
    blargoe wrote:
    Password policy are applied at the domain level. Anything you specify at the OU level would be ignored.
    There are variables. However, remember the order in which Group Policy is applied - Local, Site, Domain, OU. Therefore if you specify different password policies at the OU level they will over ride policies at the Domain level. The variables include things like "deny" permissions on applying group policy, a domain admin checking the "no override" setting on a GPO, and "Block Policy Inheritence".
    All things are possible, only believe.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    sprkymrk, you are mistaken. The password policy is the 1 policy that does not inherit these characteristics due to the reason I speak of in the next sentence. There can ONLY be 1 password policy on a domain. This policy MUST be applied in the root container of the domain (same location the Default Domain Policy) is applied.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • eurotrasheurotrash Member Posts: 817
    @sprkymrk: What?? icon_eek.gif Give me proof that password policies apply to domain accounts at OU/site level. icon_bounce.gif
    witty comment
  • Danman32Danman32 Member Posts: 1,243
    That's a potential test question, where a group of engineers want their own password policy. The answer is to make a child domain for them and apply their alternate password policy to their domain.

    Somewhere in one of my study books, they incorrectly diverted to stating password policies could be overridden. I forget the wording and the source. It may have been they were referring to local accounts on individual machines however.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    icroyal wrote:
    sprkymrk, you are mistaken. The password policy is the 1 policy that does not inherit these characteristics due to the reason I speak of in the next sentence. There can ONLY be 1 password policy on a domain. This policy MUST be applied in the root container of the domain (same location the Default Domain Policy) is applied.
    I stand corrected... That really is news to me! icon_idea.gificon_idea.gif
    Thanks.
    All things are possible, only believe.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Danman32 wrote:
    That's a potential test question, where a group of engineers want their own password policy. The answer is to make a child domain for them and apply their alternate password policy to their domain.
    Good to know, thanks danman. icon_cool.gif
    All things are possible, only believe.
  • SWMSWM Member Posts: 287
    I had a MS question on this in my actual exam. One to look out for! icon_rolleyes.gif
    Isn't Bill such a Great Guy!!!!
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    That's why I like this site so much - lot's of smart folks out there. I honestly don't remember ever seeing this information before, so I checked out microsoft.com via google and here is an excerpt from the first hit:

    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx
    Storing Password Policy Information
    Before implementing password policies, you need to understand how password policy configuration information is stored. This is because the mechanisms for storing password policy limit the number of different password policies you can implement and affect how you apply your password policy settings.

    There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on stand-alone computers. Computers that are members of a domain also have a local account database, but most organizations that have deployed Active Directory domains require their users to log on to their computers and the network by using domain-based accounts. Consequently, if you specify a minimum password length of 14 characters for a domain, all users in the domain must use passwords of 14 or more characters when they create new passwords. To establish different requirements for a specific set of users, you must create a new domain for their accounts.

    Active Directory domains use GPOs to store a wide variety of configuration information, including password policy settings. Although Active Directory is a hierarchical directory service that supports multiple levels of organizational units (OUs) and multiple GPOs, password policy settings for the domain must be defined in the root container for the domain. When the first domain controller is created for a new Active Directory domain, two GPOs are automatically created: the Default Domain Policy GPO and the Default Domain Controller Policy GPO. Default Domain Policy is linked to the root container. It contains a few critical domain-wide settings including the default password policy settings. Default Domain Controller Policy is linked to the Domain Controllers OU and contains initial security settings for domain controllers.

    It is a best practice to avoid modifying these built-in GPOs. If you need to apply password policy settings that diverge from the default settings, you should create a new GPO instead and link it to the root container for the domain, or to the Domain Controllers OU and assign it a higher priority than the built-in GPO. If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence.

    Wow! Again, thanks for the correction to my incorrect correction everyone.
    _omni_ wrote:
    @sprkymrk: What?? Give me proof that password policies apply to domain accounts at OU/site level.
    Watch it _omni_, one of these days I am going to be right about something, and when that day comes I am going to grab my walking stick, put in my false teeth, turn up my hearing aid and tell our grandkids that I finally got one over on old _omni_! icon_lol.gif
    All things are possible, only believe.
  • eurotrasheurotrash Member Posts: 817
    LOL!! icon_lol.gificon_lol.gif
    witty comment
  • Danman32Danman32 Member Posts: 1,243
    Well, both of you are correct for being skeptical. It is OK to be skeptical, that leads to research of the truth. Being cynical however, is being closed minded about searching for the truth and possibly finding out you were wrong.

    I commend you both for the challenges, and I especially commend you Sprkymrk for doing your research at the most authorative source.

    icon_cheers.gif
Sign In or Register to comment.