Password Policy by OU

[Doug Fox]

Is it possible that we deploy password policy by OU? Let say, the HR users'
passwords are 8 characters in length, They must be changed every 30 days.
The Manufacturing users' passwords are 6 characters in length and must be
changed every 42 days. I then setup 2 OUs. One for HR and one for MFG and
apply a GPO for each OU.

Any comments/suggestions are appreciated.

Thanks,

DF

 

[Danny Sanders]

One password policy per domain.

Password policies set at the OU level will only take affect when logging on
locally.

The thinking is if your domain holds info sensitive enough for "strong"
passwords, setting one set up users to use "weak" password amounts to
Windows allowing you to create a security hole.

hth
DDS W 2k MVP MCSE

 

[Roger Abell [MVP]]

Danny is correct in his comment. Your only alternative, other than
defining more domains, is to use smart cards for some users or to
aquire a password complexity gina from a third-party (or write one).
The last alternative is a time-limited feature as these types of
extensions are only to be supported as is on pre-Vista/pre-Longhorn.

 

[Steven L Umbach]

As Danny and Roger said that is not natively possible. As an admin it is
good practice to sell to the powers that be that strong password policy for
all users is the way to go and to train users to think pass phrase instead
of passwords encouraging users to use spaces in their pass phrase if they
want. While a pass phrase may seem simple to us humans they can be extremely
complex passwords. --- Steve