Can you block default domain policy settings - specifically complex password at OU or user level?

[ed]

Hi,

Can you block default domain policy settings - specifically complex password
at the OU or user level? I did try blocking inheritance with no luck.



Ed

 

[Simon Geary]

No, account policies can only be defined at the domain level and can't be
overridden.
This is not true for all default domain policies, some can be changed be OU
level GPO's but for account settings you are stuck with what is defined at
domain level. However, if you have control over the domain level GPO you
could try denying the 'apply group policy' right to whatever users you are
trying to change this for.

 

[Herb Martin]

I think that the Domain Security Account
Settings (password, lockout, kerberos) actually apply to the computer,
rather than the user.

I believe you will find that for Domain accounts the EFFECT is on the
DCs so there is no opportunity to avoid such policies for "some of the
users".

In fact, this is one of the technical reasons for requiring multiple
domains,
even though OU's can handle most jobs that required a domain in NT.

Different security account policies require different domains.

 

[ed]

Thanks for confirming what I expected guys.

At least we still have the flexibility within a domain to disable password
expiry which is a good work around. Adding an additional domain for this
functionality is not cost justifiable obviously.

Ed

 

[Herb Martin]

At least we still have the flexibility within a domain to disable password

expiry which is a good work around. Adding an additional domain for this
functionality is not cost justifiable obviously.

Why do you wish to disable the expiration of passwords?

If you really mean to set "never expire" then you CAN do this on each such
account individually. This is separate so that Service accounts can be set
this way.