_omni_ wrote: Password policies must be applied at domain level in order to affect domain accounts. .
_omni_ wrote: Password policies applied at OU/site level affect only local accounts.
blargoe wrote: Password policy are applied at the domain level. Anything you specify at the OU level would be ignored.
icroyal wrote: sprkymrk, you are mistaken. The password policy is the 1 policy that does not inherit these characteristics due to the reason I speak of in the next sentence. There can ONLY be 1 password policy on a domain. This policy MUST be applied in the root container of the domain (same location the Default Domain Policy) is applied.
Danman32 wrote: That's a potential test question, where a group of engineers want their own password policy. The answer is to make a child domain for them and apply their alternate password policy to their domain.
Storing Password Policy Information Before implementing password policies, you need to understand how password policy configuration information is stored. This is because the mechanisms for storing password policy limit the number of different password policies you can implement and affect how you apply your password policy settings. There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on stand-alone computers. Computers that are members of a domain also have a local account database, but most organizations that have deployed Active Directory domains require their users to log on to their computers and the network by using domain-based accounts. Consequently, if you specify a minimum password length of 14 characters for a domain, all users in the domain must use passwords of 14 or more characters when they create new passwords. To establish different requirements for a specific set of users, you must create a new domain for their accounts. Active Directory domains use GPOs to store a wide variety of configuration information, including password policy settings. Although Active Directory is a hierarchical directory service that supports multiple levels of organizational units (OUs) and multiple GPOs, password policy settings for the domain must be defined in the root container for the domain. When the first domain controller is created for a new Active Directory domain, two GPOs are automatically created: the Default Domain Policy GPO and the Default Domain Controller Policy GPO. Default Domain Policy is linked to the root container. It contains a few critical domain-wide settings including the default password policy settings. Default Domain Controller Policy is linked to the Domain Controllers OU and contains initial security settings for domain controllers. It is a best practice to avoid modifying these built-in GPOs. If you need to apply password policy settings that diverge from the default settings, you should create a new GPO instead and link it to the root container for the domain, or to the Domain Controllers OU and assign it a higher priority than the built-in GPO. If two GPOs that have conflicting settings are linked to the same container, the one with higher priority takes precedence.
_omni_ wrote: @sprkymrk: What?? Give me proof that password policies apply to domain accounts at OU/site level.
