Password Policy

  • Thread starter Thread starter Dave
  • Start date Start date
D

Dave

I have been trying to set up a password policy with no
success. I set up a new policy under the domain that runs
after the default domain policy. I configured different
items under computer config such as "do not display last
user to logon" and "disable CTRL ALT DEL", along with a
password setting of expire in one day for a test. I
configured under user config "disable command prompt".
The security for this policy is set "Read and Apply" group
policy to a specific user and computer account. I
removed "authenticated users". When I logon to the
specific computer with the specific user all computer and
user config policies work except the password policy.

My goal in the long run is to have different password
policies for different OU's so that all users are not
prompted to change there password all at once but I can't
even get the password policy to work at all. What am I
doing wrong. Any help would be appreciated. Thanks.
 
You cannot have different password policies for different OU's. The GPO that you're setting password policy under must be at the domain level.
 
Robert is correct in that Out-of-the-box you are limited to applying
password policy to the domain level but there are other ways you may be able
to reach your goal here.

For example imagine if you have an OU with technical user with high
privledges on your network and you want them to reset their passwords every
30 days instead of every 90 which you have configured for the entire domain.
This setting will not apply if you configure it on a GPO applied to an OU
per Robert's response. But what you can do here is write a script that will
iterate through all of the objects in the OU and look at the password age
and compare that to 30 days (it is probably in seconds or some other
unwieldy format) and if the password age is 30 days simply flip the flag for
"User must change password at next logon". The simplest example is pretty
complex and not that pretty from a user perspective. If you want to add
complexity you evaluate the password age and if the password is 20 days old
you present the user with a "your password is about to expire in 10 days"
type of message. It is definitely possible but a bit complex.

I am sure you can find a bunch of sample scripts up on the script center to
look at regarding flipping the flag to reset and looking at password age
etc. I haven't looked at this in a while but I remember it being possible.

Kevin Sullivan
 
Back
Top