Password Policy - URGENT

  • Thread starter Thread starter Gil
  • Start date Start date
G

Gil

hi,
I want to change my users passwords policy. I want to change for example the
minimun passowrd length .
I have 300 users and I do NOT want to change the policy for all the users at
the same time.
But if I will use the domain security policy for this change, it will change
the policy for all the users at the same time.
I saw in the win2000server GPO the option to change the passowrd policy from
the computer configuration of the GPO and NOT from the user configuration of
the GPO.
1. How can I change the password policy from the GPO from the USER
CONFIGURATION and NOT from the COMPUTER CONFIGURATION.

2.I have only winn2000server and NONE win2003 server. So I will NOT be able
to apply the GPO option for changing the password policy for PART of the
users in the OU !!! (I have 300 users and I do NOT want to change the policy
for all the users at the same time.)
How can I solve this issue without installing win2003 server or installing
third party tool for this issue ???

thanks alot.
 
The Password Policy is a domain wide policy, and have to effect all user
accounts within the particular domain. The Password Policy can only be set
at Domain level, and should be set in the Default Domain Policy, or another
Policy at the with the highest priority.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
Security policies are domain-wide, and minimum password length is one of
them. Even though security policies are visible in all GPOs, at the computer
&/or user configuration branch, the only security policies that will really
be effective (i.e. work at all) are those defined in GPOs set at the domain
level.

During the AD design and planning phase, this should be one of the key
considerations that guide the domain structure of an organization.
 
Desmoned,
1. You are saying that to deal with this issue of password policy, I MUST
use the domain security policy ONLY . You are saying NOT to use even GPO on
the whole OU, becuase it will NEVER work as long as the
domain security policy will have another definitions then the GPO .
2. So always domain security Policy are stronger then GPO ?
thanks.
 
1. Yes. Note that you are not prevented from configuring password policies
using GPO linked to OUs within the same AD domain, but only the one defined
at the domain level will be effective. This is something you have already
found out, and the behavior is correct as design.

2. See #1.

How many AD domains do you have in the same AD forest / tree?

Take for example the following scenario:
my-hq.com
east.my-hq.com
west.my-hq.com

Three different password policies can be setup in the respective AD domains
if the need is there.

Hope this helps!
 
Thanks You Very Much !

Desmond Lee said:
1. Yes. Note that you are not prevented from configuring password policies
using GPO linked to OUs within the same AD domain, but only the one defined
at the domain level will be effective. This is something you have already
found out, and the behavior is correct as design.

2. See #1.

How many AD domains do you have in the same AD forest / tree?

Take for example the following scenario:
my-hq.com
east.my-hq.com
west.my-hq.com

Three different password policies can be setup in the respective AD domains
if the need is there.

Hope this helps!
 
See my response to the previous post ...

-ds


Chriss3 said:
The Password Policy is a domain wide policy, and have to effect all user
accounts within the particular domain. The Password Policy can only be set
at Domain level, and should be set in the Default Domain Policy, or another
Policy at the with the highest priority.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
Back
Top