password complexity

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

i have enabled password complexity at the domain level which works fine, but
i have downlevel OU's which I DO NOT wish to have this restriction/policy
enforced.

Is this possible ???

thanks

Richard

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You have a three options to do this kind of thing:

1) You can create a password policy on the deeper OU with the complexity policy explicity disabled - this will override the GP at
the domain level which is applied before the OU's policies. Policies are applied in order: local, site, domain, OU (outermost to
deepest). Last policy wins. This is probably what you want to do here.

2) You can use DENY access control entries on the top-level GPO's security to avoid applying that policy to particular users or
machines based on identity or security group membership. You might want to do this if the need to avoid applying the password policy
spans across OUs and it is simpler to just group the users together.

3) You can check "block policy inheritance" on the OU to avoid applying any upper-level GPOs (at least ones that aren't marked
no-override). This would be an unusual situation where you simply want a clear policy space at the OU and more or less start over
from there down.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

"RThibault" <RThibault@discussions.microsoft.com> wrote in message news:9D851EF9-8562-49AD-BBFE-A7790ED3A9EA@microsoft.com...
>i have enabled password complexity at the domain level which works fine, but
> i have downlevel OU's which I DO NOT wish to have this restriction/policy
> enforced.
>
> Is this possible ???
>
> thanks
>
> Richard

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If he means that he wants multiple complexity policies for users that reside in
a single domain, that is not possible with any amount of GPO
tweaking/blocking/filtering. It is only possible with custom password filters
that are written to specifically function based on some filtering criteria.
Writing password filters is non-trivial.

The password policy for a domain is maintained in the domain policy, this is
applied to the domain controllers directly, what policies user's in OUs have
applied to them has no bearing on the subject.

If you set different complexity settings in a single domain, they will only be
effective for local userids (NOT domain userids) on workstations and member
servers that are covered by those OUs.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Steve Duff [MVP] wrote:
> You have a three options to do this kind of thing:
>
> 1) You can create a password policy on the deeper OU with the complexity policy explicity disabled - this will override the GP at
> the domain level which is applied before the OU's policies. Policies are applied in order: local, site, domain, OU (outermost to
> deepest). Last policy wins. This is probably what you want to do here.
>
> 2) You can use DENY access control entries on the top-level GPO's security to avoid applying that policy to particular users or
> machines based on identity or security group membership. You might want to do this if the need to avoid applying the password policy
> spans across OUs and it is simpler to just group the users together.
>
> 3) You can check "block policy inheritance" on the OU to avoid applying any upper-level GPOs (at least ones that aren't marked
> no-override). This would be an unusual situation where you simply want a clear policy space at the OU and more or less start over
> from there down.
>
> Steve Duff, MCSE, MVP
> Ergodic Systems, Inc.
>
> "RThibault" <RThibault@discussions.microsoft.com> wrote in message news:9D851EF9-8562-49AD-BBFE-A7790ED3A9EA@microsoft.com...
>
>>i have enabled password complexity at the domain level which works fine, but
>>i have downlevel OU's which I DO NOT wish to have this restriction/policy
>>enforced.
>>
>>Is this possible ???
>>
>>thanks
>>
>>Richard
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Richard,

Pls note that Windows 2000 allows only one domain account policy (including
password policy) per domain. So I think the original question is not
possible. However, you can have additional policy in your down level OU in a
way that the GP will affect the local policy of the computers in the OU.
This will affect the local logon.

For more info, take a look at this.

How to configure account policies in Active Directory
http://support.microsoft.com/?id=255550

br,
Denis

"Steve Duff [MVP]" <ergodic@ergodic-systems.com> wrote in message
news:ORV6mgKjFHA.572@TK2MSFTNGP15.phx.gbl...
> You have a three options to do this kind of thing:
>
> 1) You can create a password policy on the deeper OU with the complexity
policy explicity disabled - this will override the GP at
> the domain level which is applied before the OU's policies. Policies are
applied in order: local, site, domain, OU (outermost to
> deepest). Last policy wins. This is probably what you want to do here.
>
> 2) You can use DENY access control entries on the top-level GPO's security
to avoid applying that policy to particular users or
> machines based on identity or security group membership. You might want to
do this if the need to avoid applying the password policy
> spans across OUs and it is simpler to just group the users together.
>
> 3) You can check "block policy inheritance" on the OU to avoid applying
any upper-level GPOs (at least ones that aren't marked
> no-override). This would be an unusual situation where you simply want a
clear policy space at the OU and more or less start over
> from there down.
>
> Steve Duff, MCSE, MVP
> Ergodic Systems, Inc.
>
> "RThibault" <RThibault@discussions.microsoft.com> wrote in message
news:9D851EF9-8562-49AD-BBFE-A7790ED3A9EA@microsoft.com...
> >i have enabled password complexity at the domain level which works fine,
but
> > i have downlevel OU's which I DO NOT wish to have this
restriction/policy
> > enforced.
> >
> > Is this possible ???
> >
> > thanks
> >
> > Richard
>
>