Win2k group policy problem

  • Thread starter Thread starter Tim D
  • Start date Start date
T

Tim D

I want to enable password complexity for xx users in only
one of my OU's. I do have a separate GPO on this OU and
as well as all of my other OU's. I understand password
complexity will only work if it is applied to the default
domain policy GPO. Since I applied it to the default
domain policy GPO, I can't create users with non complex
passwords in my other OU's with seperate GPO's. Also, all
local user accounts for all computers in the domain must
have complex passwords and I do not want that either.
Please help. I am runnning win2k advanced server SP3.
 
Tim and Kevin!

Here is the way that it works.

1. If a domain user logs on, they will have the password requirements set
forth in the domain level policy.
2. If a LOCAL user logs onto a LOCAL machine that is a member of a domain,
they are bound by the resultant set of policys up to the OU they are in.

For example.

single forest, single domain, single site

1 DC, 1 workstation.

Password policy defined at domain level to have a minimum of 5 chars length.
OU created called TESTOU and Workstation moved into this OU.
Password policy defined at the TESTOU level to have a minimum of 7
characters.

Domain user created called DOMAINUSER
Local User created on workstation called LOCALUSER

Logging into the workstation:

Example #1, Log into the DOMAIN on the workstation with DOMAINUSER and try
to change password, message you get is that the password must be 5
characters in length.
Example #2, Log into the LOCAL MACHINE (again workstation) with LOCALUSER
and try to change password, message you get is that the password must be 7
characters in length.

So, in summary, any domain user account that logs on anywhere in the domain
will be bound by the domain level password policy restrictions. and any
local user account that logs onto a local machine will be bound by the
password policies set forth using the L,S,D,OU methodology.

In your scenario, Tim, you would be unable to define different password
policies for domain users, however, you can set a password policy at an OU
level so that LOCAL accounts do not have to use complexity requirements.
This is by design.
--
Gary J. Griffin, MSCE/MCSE
Enterprise Platform Support
Directory Services, Microsoft Corporation
 
Thanks for all of your help. I wasn't sure it could be
done but you guys pointed me in the right direction
 
Back
Top