Applying Password Policy to Group

T

Techhead

I need to apply a password policy to a group of users instead of the
entire domain. I know you have to apply the policy to the domain and
not to an OU. How would I restrict who gets the password policy at the
domain level instead of every computer getting the policy? Can I deny
apply policy rights to all users and grant apply rights to my group?

I want to test my policy with out having to apply it domain wide.
 
D

Dean Wells [MVP]

This isn't possible out-of-the-box. Password policy is enforced by
Domain Controllers and unfortunately applies to them ... not to users,
groups or computers. The password policies you define are effective at
and are governed by the DCs receiving the password change requests from
users, they are not specific to the user changing the password.

Password policies can be linked at other levels, such as OUs, but they
then affect only the local password policy of any member computers
within the scope of that linkage ... not the users that happen to share
that OU.
 
J

Jmnts

Hi
You can only have one password policy for the entire domain. If you need
separate password policies, you will have to create separate domains.
 
H

Herb Martin

Techhead said:
I need to apply a password policy to a group of users instead of the
entire domain. I know you have to apply the policy to the domain and
not to an OU. How would I restrict who gets the password policy at the
domain level instead of every computer getting the policy? Can I deny
apply policy rights to all users and grant apply rights to my group?

I want to test my policy with out having to apply it domain wide.
Click to expand...

As the others have indicated, this is not possible
for DOMAIN accounts. Password, Kerberos,
and Lockout policies for domain accounts ONLY
apply at the domain level.

Your best bet is to do it through EDUCATION (of
those users.)

Make sure they understand the rules and the reasons
why they are essential to organization security.

Occasionally the need to have different Password or
Lockout policies (for domain accounts) is a reason for
creating a SEPARATE domain.
 
H

Harj

Hi,

As previously posted, this will not work for you "out of the box".
DC's look at the default domain policy at the domain level for password
policies throughout your domain.
There are third party tools out there that can allow you multiple
password policies within your domain WITHOUT creating new domains or
reconfiguring your Active Directory structure.
One tool out there is called Specops Password Policy from Special
Operations Software.
With this you can create different individual policies and link them to
a user account, and/or a security group, and/or a specific OU
You can find more information at the following link.
http://www.specopssoft.com/products/specopspasswordpolicy/Default.asp

Harj Singh
"Password Policy Done Right"
www.specopssoft.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Authentication issue preventing Group Policy from applying to user 6
Password Policy for Service Accounts 2
Blocking password policy set at Domain level 5
Active Directory Domain Policy 13
Group Policy Problem 3
Domain Security Policy vs. OU specific Policy 1
Group Policy question 2
Local Machine vs. Domain Group Policy 11

Top