GPO - password/account settings at the OU level

  • Thread starter Thread starter Blake
  • Start date Start date
B

Blake

We are trying to set some password/account settings at the OU level
(password complexity, minimum length, lockout, etc.) Some documentation
says this must be set at the domain level and doesn't function anywhere
else. Can anyone verify/dispute this? Can I set a different password
policy for different OUs? If not, why does MS give me the option to do so?

Thanks
Blake
 
For "domain" accounts, password policy can only be set at the domain
level. If you set it at the OU level it will be enforced for local machine
accounts only in that OU. --- Steve MVP
 
Password policy must be set at the domain level. Think
about it - all your domain accounts are stored on the
DC's, which aren't in the OU's that you are specifiying
polciy on (its a machine level policy), so why would they
be effected?

MS gives you this option because the password policy you
set on OU's will effect the local SAM database on the
machines stored within that OU. It will not effect domain
accounts, only local accounts.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top