password complexity

[Guest]

i have enabled password complexity at the domain level which works fine, but
i have downlevel OU's which I DO NOT wish to have this restriction/policy
enforced.

Is this possible ???

thanks

Richard

 

[Steve Duff [MVP]]

You have a three options to do this kind of thing:

1) You can create a password policy on the deeper OU with the complexity policy explicity disabled - this will override the GP at
the domain level which is applied before the OU's policies. Policies are applied in order: local, site, domain, OU (outermost to
deepest). Last policy wins. This is probably what you want to do here.

2) You can use DENY access control entries on the top-level GPO's security to avoid applying that policy to particular users or
machines based on identity or security group membership. You might want to do this if the need to avoid applying the password policy
spans across OUs and it is simpler to just group the users together.

3) You can check "block policy inheritance" on the OU to avoid applying any upper-level GPOs (at least ones that aren't marked
no-override). This would be an unusual situation where you simply want a clear policy space at the OU and more or less start over
from there down.

Steve Duff, MCSE, MVP
Ergodic Systems, Inc.

 

[Denis Wong @ Hong Kong]

Hi Richard,

Pls note that Windows 2000 allows only one domain account policy (including
password policy) per domain. So I think the original question is not
possible. However, you can have additional policy in your down level OU in a
way that the GP will affect the local policy of the computers in the OU.
This will affect the local logon.

For more info, take a look at this.

How to configure account policies in Active Directory
http://support.microsoft.com/?id=255550

br,
Denis

You have a three options to do this kind of thing:

1) You can create a password policy on the deeper OU with the complexity

policy explicity disabled - this will override the GP at

the domain level which is applied before the OU's policies. Policies are

applied in order: local, site, domain, OU (outermost to

deepest). Last policy wins. This is probably what you want to do here.

2) You can use DENY access control entries on the top-level GPO's security

to avoid applying that policy to particular users or

machines based on identity or security group membership. You might want to

do this if the need to avoid applying the password policy

spans across OUs and it is simpler to just group the users together.

3) You can check "block policy inheritance" on the OU to avoid applying

any upper-level GPOs (at least ones that aren't marked

no-override). This would be an unusual situation where you simply want a

clear policy space at the OU and more or less start over

 

[Joe Richards [MVP]]

If he means that he wants multiple complexity policies for users that reside in
a single domain, that is not possible with any amount of GPO
tweaking/blocking/filtering. It is only possible with custom password filters
that are written to specifically function based on some filtering criteria.
Writing password filters is non-trivial.

The password policy for a domain is maintained in the domain policy, this is
applied to the domain controllers directly, what policies user's in OUs have
applied to them has no bearing on the subject.

If you set different complexity settings in a single domain, they will only be
effective for local userids (NOT domain userids) on workstations and member
servers that are covered by those OUs.

joe