Group Policy Issues...
Basically i want to set it up so that on my network if a mamber of staff logs onto a computer they get a password restriction policy and if a student logs onto the same machine - they get a different password policy...
i have a policy called staff and a policy called students at top level in group policy...
each only apply to staff or the students group in AD... works perfectly for all user configration parts of the policy... is there a loopback type thing to get it to set Machine Policy due to each user who logs on?
spent hours on this and there is a rather dented section of wall near my desk...
My guess is all your students will be in one ou may be with different ous inside for each year. The staff will be in a different ou. Pc's will be in a Ou with a different ou for each room and servers and domain controllers will have further ou's
What I would normally do is create another group policy inside the correct ou ie students or staff and give it an appropriate name. Then set the settings you need. In your case the settings would be for users.
I have had a look and the password policy it is in the computer setting of under security so you might not be able to do this as the users are using the same computers.
This must be an issue in other schools? there must be a work around?
It's OK to have a computer setting policy on a User OU. You should be able to put the policy on the Student OU and a different policy on the Staff OU and it will be fine...
... or have the least restrictive policy at domain level and then the more restrictive policy at user OU level.
Set up a couple of test OUs and a couple of test users and have a play.
2008? There may be others, but go look at this utility.
1) Forget trying to do this with normal GPOs.
2) You can **only** apply this to groups or users.
The way i have it setup so far is basically the computers are all in the respective OU and so are the staff and students - the GP's are set up to cover the whole of the domain. I have the Default, School, Staff and Student GPO at top level with the Student GP scope set only to Students (AD Group) and Staff scope only to Staff (AD Group).
Originally Posted by elsiegee40
Each of the policies works for the User config part of the GP BUT none of the machine settings apply.
This is a question on the 70-640 practice test in the MS press book which I'm currently studying, according to the study notes you have to create an attribute for each password policy within AD and apply that attribute to the policy. Don't really know how to acheive this as I have not tried it yet but searching for adsi edit and password policies might find something on google.
They seem to only apply to security groups rather than OU's as mentioned previously
Sorry i think i confused you :) the Staff (AD Group) and Student (AD Group) - are both Universal Security Groups - they double up as distro groups too
In 2008R2 you have have a user based password policy by using adsiedit to create a new msds-passwordsettings [may be worth doing a google on that] object in the password settings container of the system node. You need to create a new password retention policy in this, some of the settings of which are very verbose, but can later be edited in a more normal view. Once set up, the new policy is applied to individual users or a security group - can't remember if you can apply to an OU from within adsiedit.
Its all much easier than it sounds and I put this off until quite late on in system deployment, but it only took about 20 minutes to achieve and test.