where to apply?

Me · Sep 18, 2004

I know this a GPO 101 type question but any help would be welcome..

Let's say you have a 2003 domain with a single user OU called
employees. You want to set a password policy so that employees have
complex passwords. Do you link it to the domain or Employees OU and
why?

Sounds like a test question I know but I would set it at the
employees OU because I may want to create another OU later and not
apply the GPO there. Does this make sense or should I just link it to
the domain and deny permissions to it for the new OU I create?

Thanks for any advice.

Cary Shultz [A.D. MVP] · Sep 18, 2004

Hello Me!

I guess that this would be Mini Me writing to you? But is that possible at
6' / 210 lbs to be called 'Mini-Me'? Probably not!

This is a basic question. But a good one and one that often comes up. So,
if you have it they you know that a ton of others have it as well.

Password Policy is a special animal. There can be only one password policy
per domain and you apply it to the domain level ( through the Domain
Security Policy ). Period!

You can not have a password policy applied to the OU level and have it apply
to any domain user accounts. That policy would, however, apply to any local
user accounts to any computer account objects that might reside in the OU to
which this password policy GPO was linked. What does that mean? Say that
you have an OU in which there are 15 computer account objects: pc01, pc02,
pc03, etc. You apply the password policy GPO to his OU. At the next reboot
of the computers user account logging on locally ( to the computer, not to
the domain ) will be affected by this password policy.

Does this make sense?

Mini Me! aka Cary

Me · Sep 18, 2004

Hello Me!

I guess that this would be Mini Me writing to you? But is that possible at
6' / 210 lbs to be called 'Mini-Me'? Probably not!

This is a basic question. But a good one and one that often comes up. So,
if you have it they you know that a ton of others have it as well.

Password Policy is a special animal. There can be only one password policy
per domain and you apply it to the domain level ( through the Domain
Security Policy ). Period!

You can not have a password policy applied to the OU level and have it apply
to any domain user accounts. That policy would, however, apply to any local
user accounts to any computer account objects that might reside in the OU to
which this password policy GPO was linked. What does that mean? Say that
you have an OU in which there are 15 computer account objects: pc01, pc02,
pc03, etc. You apply the password policy GPO to his OU. At the next reboot
of the computers user account logging on locally ( to the computer, not to
the domain ) will be affected by this password policy.

Does this make sense?

Does it make sense ... Let me see ... if for example I was stuborn and
still wanted to apply password policy to an OU I would have to have
all the user and computer accounts in that OU or sub OU... AND ..... (
note the .... is me thinking ) I would have to have all those users
logon locally to their machiines!?!

Further, if I wanted to apply password policy to some users only,
(with all users logging in the domain which is of course the best) I
would have to link the gpo to the domain and then deny the users I
didn't want to have it to that gpo yes?

Mini Me! aka Cary

Thanks Mini Me. BTW - I gladly call you Mini Me for helping me out!

Cary Shultz [A.D. MVP] · Sep 19, 2004

Hello Me!

in-line....

Me said:
Does it make sense ... Let me see ... if for example I was stuborn and
still wanted to apply password policy to an OU I would have to have
all the user and computer accounts in that OU or sub OU... AND ..... (
note the .... is me thinking ) I would have to have all those users
logon locally to their machiines!?!

I think that the one thing about which you do not want to be stubborn is in
accepting the fact that there can be only one Password Policy per domain.
Period. If you need to have multiple password policies then you need to
have multiple domains!

I probably should not have included the part about the OUs as it tends to
confuse people for whom this topic is not clear. So, forget about that.
Clearly having people log on to their local machines ( and not to the
domain ) is not acceptable.

Further, if I wanted to apply password policy to some users only,
(with all users logging in the domain which is of course the best) I
would have to link the gpo to the domain and then deny the users I
didn't want to have it to that gpo yes?

The Password Policy affects all user account objects. Period. There is no
way to selectively enforce to which user account objects this policy either
applies or does not apply. To simplify why, think of it this way ( I think
that Paul explained it in a similar fashion - co credit goes to him! ): you
are setting the Password Policy so that the Domain Controller(s) know what
type of password it/they will accept when authenticating. Does this help
you to better understand this? This is why the Password Policy is set at
the Computer Configuration. It is really for the Domain Controllers!

Thanks Mini Me. BTW - I gladly call you Mini Me for helping me out!

Thanks, Me!

Mini-Me.

Ken B · Sep 20, 2004

Just throwin in a nickle here...

If you want some users to have 'easier' passwords, if you didn't set up the
password policy on the domain level yet, you can have them set their
passwords (or you do it for them thru Users & Computers)... check the
"Password never expires" checkbox. THEN apply the password policy, and all
users (when their password expires or is changed) will be forced to comply
with the password policy.

But as Cary said (I think she did, or at least eluded to), why would you
want to defeat the purpose of the a security policy and create a "weak link"
with a simple password if the rest of the domain were forced to have a more
complex password?

For instance, at my place, I could guarantee you that if some people were
held to more stringent passwords than others, the "tighter" password users
would be complaining that "so-and-so over there has a password, and it's
only 4 characters long, and they keep re-using it!!" Would be a political
nightmare here.

Good luck!

Ken

Cary Shultz [A.D. MVP] · Sep 21, 2004

Ken,

'She' would be 6'0 and 210 lbs! ;-)

Cary

Ken B said:
Just throwin in a nickle here...

If you want some users to have 'easier' passwords, if you didn't set up the
password policy on the domain level yet, you can have them set their
passwords (or you do it for them thru Users & Computers)... check the
"Password never expires" checkbox. THEN apply the password policy, and all
users (when their password expires or is changed) will be forced to comply
with the password policy.

But as Cary said (I think she did, or at least eluded to), why would you
want to defeat the purpose of the a security policy and create a "weak link"
with a simple password if the rest of the domain were forced to have a more
complex password?

For instance, at my place, I could guarantee you that if some people were
held to more stringent passwords than others, the "tighter" password users
would be complaining that "so-and-so over there has a password, and it's
only 4 characters long, and they keep re-using it!!" Would be a political
nightmare here.

Good luck!

Ken

Cary Shultz said:

Hello Me!

in-line....

Me said:

On Sat, 18 Sep 2004 12:52:08 -0400, "Cary Shultz [A.D. MVP]"

Hello Me!

I guess that this would be Mini Me writing to you? But is that

Click to expand...

possible

at
6' / 210 lbs to be called 'Mini-Me'? Probably not!

This is a basic question. But a good one and one that often comes

Click to expand...

up.
So,

if you have it they you know that a ton of others have it as well.

Password Policy is a special animal. There can be only one password policy
per domain and you apply it to the domain level ( through the Domain
Security Policy ). Period!

You can not have a password policy applied to the OU level and have

Click to expand...

it
apply

to any domain user accounts. That policy would, however, apply to

Click to expand...

any
local

user accounts to any computer account objects that might reside in

Click to expand...

Click to expand...

the

OU not
to

I think that the one thing about which you do not want to be stubborn is in
accepting the fact that there can be only one Password Policy per domain.
Period. If you need to have multiple password policies then you need to
have multiple domains!

I probably should not have included the part about the OUs as it tends to
confuse people for whom this topic is not clear. So, forget about that.
Clearly having people log on to their local machines ( and not to the
domain ) is not acceptable.

The Password Policy affects all user account objects. Period. There is no
way to selectively enforce to which user account objects this policy either
applies or does not apply. To simplify why, think of it this way ( I think
that Paul explained it in a similar fashion - co credit goes to him! ): you
are setting the Password Policy so that the Domain Controller(s) know what
type of password it/they will accept when authenticating. Does this help
you to better understand this? This is why the Password Policy is set at
the Computer Configuration. It is really for the Domain Controllers!

Thanks, Me!

Mini-Me.

Click to expand...