Applying Password Policy to Group

  • Thread starter Thread starter Techhead
  • Start date Start date
T

Techhead

I need to apply a password policy to a group of users instead of the
entire domain. I know you have to apply the policy to the domain and
not to an OU. How would I restrict who gets the password policy at the
domain level instead of every computer getting the policy? Can I deny
apply policy rights to all users and grant apply rights to my group?

I want to test my policy with out having to apply it domain wide.
 
This isn't possible out-of-the-box. Password policy is enforced by
Domain Controllers and unfortunately applies to them ... not to users,
groups or computers. The password policies you define are effective at
and are governed by the DCs receiving the password change requests from
users, they are not specific to the user changing the password.

Password policies can be linked at other levels, such as OUs, but they
then affect only the local password policy of any member computers
within the scope of that linkage ... not the users that happen to share
that OU.
 
Hi
You can only have one password policy for the entire domain. If you need
separate password policies, you will have to create separate domains.
 
Techhead said:
I need to apply a password policy to a group of users instead of the
entire domain. I know you have to apply the policy to the domain and
not to an OU. How would I restrict who gets the password policy at the
domain level instead of every computer getting the policy? Can I deny
apply policy rights to all users and grant apply rights to my group?

I want to test my policy with out having to apply it domain wide.
Click to expand...

As the others have indicated, this is not possible
for DOMAIN accounts. Password, Kerberos,
and Lockout policies for domain accounts ONLY
apply at the domain level.

Your best bet is to do it through EDUCATION (of
those users.)

Make sure they understand the rules and the reasons
why they are essential to organization security.

Occasionally the need to have different Password or
Lockout policies (for domain accounts) is a reason for
creating a SEPARATE domain.
 
Hi,

As previously posted, this will not work for you "out of the box".
DC's look at the default domain policy at the domain level for password
policies throughout your domain.
There are third party tools out there that can allow you multiple
password policies within your domain WITHOUT creating new domains or
reconfiguring your Active Directory structure.
One tool out there is called Specops Password Policy from Special
Operations Software.
With this you can create different individual policies and link them to
a user account, and/or a security group, and/or a specific OU
You can find more information at the following link.
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp

Harj Singh
"Password Policy Done Right"
www.specopssoft.com
 
Back
Top