Basic GPO Question

[Paul U.]

I have what I would call a relatively simple task I want
to accomplich but I can't seem to get it to work for
whatever reason.

We have several geographic regional offices, each with
their own DC. One of our Regional Offices wants to
implement Strong Passwords (aka Password Complexity
Requirements).

I have created a new Policy which enables Password
Complexity requirements, and linked that new Policy to
the OU in AD which contains all of the Users and
Computers (including the Domain Controller computer) for
that Regional Office.

When I open the "Local Security Policy" shortcut from
inside Administrative Tools on the DC of that Regional
Office, it still indicates that the Password Complexity
setting is undefined.

Do I need to modify the Default Domain Policy or Default
Domain Controller Policy to define copmplex password
requirements or is there another policy I need to create
upstream?

Any help would be much appreciated!

Thanks - Paul U.

 

[Danny Sanders]

Password policies are one to a domain.

I have created a new Policy which enables Password
Complexity requirements, and linked that new Policy to
the OU in AD which contains all of the Users and
Computers (including the Domain Controller computer) for
that Regional Office.

Password policies applied at the OU level ONLY take affect when logging on
locally to a computer in that OU.

We have several geographic regional offices, each with
their own DC. One of our Regional Offices wants to
implement Strong Passwords (aka Password Complexity
Requirements).

In order to use a different password policy at this site, you need to create
a different domain at this site.


The reasoning behind the password policy is that if you have resources in a
domain that are sensitive enough to require the more complex password
policy, you would want ALL accounts in that domain to be more secure, not
just a few. If you were able to apply the complex password policy to a few
users and not the entire domain a hacker would not have to crack the complex
password. They would crack one of the "simple" passwords.

It's kind of like putting a dead bolt, a key lock, and a chain lock on the
front door and only a key lock on the back door of your house. If there is
something in your house worth securing with 3 different locks, it's worth
securing all the doors equally.

hth
DDS W 2k MVP MCSE

 

[Paul U.]

Thanks for a quick Response Dan!

I'm pretty new to this Policy "Stuff" so I want to make
sure I understand your response.

Is my understanding correct in that I HAVE to apply my
password policy to the domain instead of the OU (or is
that just a "best practice" suggestion? I have only
created one password policy, but for the short term I
want to apply it just to one site (Geographic Region).
Eventually I will apply it to the entire domain.

Thanks for your help...
Paul U.

 

[Danny Sanders]

Is my understanding correct in that I HAVE to apply my

password policy to the domain instead of the OU (or is
that just a "best practice" suggestion?

If you want the password policy to affect your users when they log onto the
domain, yes.
Password policies applied at the OU level do not apply when a user logs on
to the domain from one of those computers in the OU.

When logging on to a computer a user has a choice of logging on to the
domain or they can use the dropdown box below their username and password to
select their local computer.
Password policies applied at the OU level only apply when a user logging
onto a computer in that OU uses the drop down box to select the local
computer (computername). When they log onto the domain it has no affect.

This is not a "best practice" this is the way account (password) policies
work.


I have only

created one password policy, but for the short term I
want to apply it just to one site (Geographic Region).
Eventually I will apply it to the entire domain.

Applying the password policy to this site will have no affect unless those
users, when logging on, choose the local computer name from the dropdown
box. They will not be logging onto the domain, they will have to have a
local account created on their computer in order for them to log onto the
local computer. They will not be authenticated by the DC they will be
authenticated by the local computer account.


Account policies must be applied to the entire domain. Anything less and you
are essentially creating a security hole.

"Best Practice" or better yet a valid reason for creating a second domain is
so you CAN have different password policies within the same organization.

hth
DDS W 2k MVP MCSE

 

[Paul U.]

Dan,
I wish that Microsoft could explain Password Policy in
simple terms like that. Your explanation could not have
been better.
Thanks a bunch!!

Paul U.