Blocking password policy set at Domain level

G

Guest

I have an Active Directory domain of about 3800 users. I have set a password policy (8 characters, 45 day expiration, and complexity requirements). I need to have a few user accounts exempted, because they are associated with business processes.

1. I have tried creating a sub-OU, moving the users into the OU, and then blocking inheritance.
2. I went to the domain level password policy and set the Apply Group Policy to Deny for those users
3. I removed the Read rights to the domain policy for those users.
4. I tried to create another password policy to the sub-OU which held those users.

Nothing stopped the password requirements for those users. They still had to change the password.

What am I missing? How do I exempt these user accounts?

Thanks
Larry
 
R

Rick

If I remember correctly you have just hit one of the reasons that people
chose to deploy multiple domains. If I am correct you can only have 1
password policy which applies to the entire domain. I don't recall if you
can use the block policy or not in this case. If you can you may want to
check if the domain policy has no override turned on as this would keep you
from blocking the password policy.



Rick
 
R

Rick

Ok I opened my MMC for the default domain GP. I am correct that you can only
have one password policy for a domain. Your only choice would be to create
and move those people into another domain in your forest. Then you have the
pleasure of use global groups with embedded domain local groups to manage
security. I would say that you need to take a careful look at your AD
structure and evaluate organizational requirements which may dictate
changing to multiple domains. From what you have posted a single forest
still sounds appropriate.
 
D

Deji Akomolafe

IF you need different password policies, you need different domains.
Password policies are domain-wide and can not be excluded/prevented.

HTH

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
Larry Lopez said:
I have an Active Directory domain of about 3800 users. I have set a
Click to expand...
password policy (8 characters, 45 day expiration, and complexity
requirements). I need to have a few user accounts exempted, because they
are associated with business processes.
 
G

Glen Anderson

As the others have mentioned password policy is domain
wide and can't be bypassed. This would sort of defeat the
object. Options are

Local accounts on servers/workstations (not that nice)
Force the password to be blank.
Unset the policy, set the passwords you need, set them
never to expire and then reset the password policy. This
should also work.

Hope this helps

-----Original Message-----
I have an Active Directory domain of about 3800 users.
Click to expand...
I have set a password policy (8 characters, 45 day
expiration, and complexity requirements). I need to have
a few user accounts exempted, because they are associated
with business processes.
1. I have tried creating a sub-OU, moving the users into
Click to expand...
the OU, and then blocking inheritance.
2. I went to the domain level password policy and set
Click to expand...
the Apply Group Policy to Deny for those users
3. I removed the Read rights to the domain policy for those users.
4. I tried to create another password policy to the sub- OU which held those users.

Nothing stopped the password requirements for those
Click to expand...
users. They still had to change the password.
 
G

Guest

-----Original Message-----
I have an Active Directory domain of about 3800 users. I
Click to expand...
have set a password policy (8 characters, 45 day
expiration, and complexity requirements). I need to have
a few user accounts exempted, because they are associated
with business processes.
1. I have tried creating a sub-OU, moving the users into
Click to expand...
the OU, and then blocking inheritance.
2. I went to the domain level password policy and set the
Click to expand...
Apply Group Policy to Deny for those users
3. I removed the Read rights to the domain policy for those users.
4. I tried to create another password policy to the sub- OU which held those users.

Nothing stopped the password requirements for those
Click to expand...
users. They still had to change the password.
What am I missing? How do I exempt these user accounts?

Thanks
Larry

.
you have done all that i would, one thing to check is
Click to expand...
replication of these settings are being replicated to the
other DC's.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory Domain Policy 13
Domain Password Policy 1
Applying Password Policy to Group 4
GP set on OU 2
Can you block default domain policy settings - specifically complex password at OU or user level? 4
Password Policy at a OU Level. 2
Password Policy for Service Accounts 2
Setting password policy lower down from domain level 4

Top