+ Post New Thread
Results 1 to 11 of 11
Windows Thread, Password Policy - 2003 in Technical; Is it possible to set different password policies for different OUs in AD in server 2003 or does the domain ...
  1. #1
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,034
    Thank Post
    305
    Thanked 293 Times in 203 Posts
    Rep Power
    120

    Password Policy - 2003

    Is it possible to set different password policies for different OUs in AD in server 2003 or does the domain level group policy set all this. We are wanting to enforce tighter passwords for staff. I know that if we enable it for the whole domain the kids are going to find it hard to log on.

    Tim

  2. #2

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    11,199
    Thank Post
    1,806
    Thanked 2,217 Times in 1,635 Posts
    Rep Power
    802
    Sorry, this one's at Domain level... one password policy fits all

  3. #3

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,836
    Thank Post
    517
    Thanked 2,478 Times in 1,921 Posts
    Blog Entries
    24
    Rep Power
    837
    As elsiegee says, password policies are domain wide in Server 2003, so you either have to have a second domain or you could update to Server 2008 which allows multiple security policies.

  4. #4
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,034
    Thank Post
    305
    Thanked 293 Times in 203 Posts
    Rep Power
    120
    If i upgrade to 2008, will i only need to upgrade the one server for the Group Policy settings to be copied over or will i need to upgrade all the DCs to 2008?

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,836
    Thank Post
    517
    Thanked 2,478 Times in 1,921 Posts
    Blog Entries
    24
    Rep Power
    837
    Quote Originally Posted by timbo343 View Post
    If i upgrade to 2008, will i only need to upgrade the one server for the Group Policy settings to be copied over or will i need to upgrade all the DCs to 2008?
    I'm not 100% sure. But I believe if you upgrade the main DC, the others have their schemas updated. The only issue would be the management tools, as 2008 has a new format of tools, compared to the old .msc files.

  6. #6
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    Officially, and according to all available literature, you can only have one Password Policy per domain...

    But.. I have seen an explanation of how to do this.. I can't find where it was now... google is failing me ...

    It was something to do with changing the security on the domain level policy.
    You have one that only staff can access, and another that only students can access, I think it means you can't have users in both groups.

    I will have another look around, it may have been on a whitepaper I got from somewhere, so it'll be at work.

  7. #7
    Butuz's Avatar
    Join Date
    Feb 2007
    Location
    Wales, UK
    Posts
    1,579
    Thank Post
    211
    Thanked 220 Times in 176 Posts
    Rep Power
    63
    Password policy is applied per domain, or per subdomain...

    So you could theoretically create a subdomain for staff, and a subdomain for pupils and apply differing password policies there.

    EG If your domain was myschool.com you could create students.myschool.com and apply a lax password policy here, and staff.myschool.com and create a strict passwoird policy here. Of course, the relavent users need to be located in the correct subdomains.

  8. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,572 Times in 1,252 Posts
    Rep Power
    340
    As already mentioned you have two choices - running 2003 server, you can create a child domain which allows different password policies or alternatively 2008 server allows you to do this per OU.

    If I had the choice, I would upgrade to 2008 server. A much simpler solution and more tools to play around with. I would highly recommend ALL servers run 2008, unless there's a specific reason you cannot do this?

  9. #9

    Join Date
    Jul 2007
    Location
    Nottingham
    Posts
    196
    Thank Post
    19
    Thanked 7 Times in 7 Posts
    Rep Power
    16
    For the password policies to be applied in Server 2008 the domain level needs to be raised to 2008, which you can't do whilst you have 2003 DCs.

    I'm currently running at 2008 domain level and was an fairly painless upgrade process. Just make sure you test it a couple of times first in a VM.

  10. #10

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    We have some middleware called Anexis Password Policy Enforcer - granular password policies that solves this problem on 2003+XP. The screenshots show Vista, but it does work.

  11. #11

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,836
    Thank Post
    517
    Thanked 2,478 Times in 1,921 Posts
    Blog Entries
    24
    Rep Power
    837
    Quote Originally Posted by powdarrmonkey View Post
    We have some middleware called Anexis Password Policy Enforcer - granular password policies that solves this problem on 2003+XP. The screenshots show Vista, but it does work.
    It's a bit costly! $1660 for 601 - 700 users!

SHARE:
+ Post New Thread

Similar Threads

  1. Password policy for remote users
    By cookie_monster in forum Windows
    Replies: 4
    Last Post: 18th May 2008, 03:46 PM
  2. Password changes in Server 2003
    By Mr_M_Cox in forum Windows
    Replies: 2
    Last Post: 7th April 2008, 11:42 AM
  3. Setting up the Password Policy on domain.
    By tosca925 in forum Windows
    Replies: 5
    Last Post: 13th June 2007, 08:28 PM
  4. Setting password policy at OU level.
    By tosca925 in forum Windows
    Replies: 9
    Last Post: 5th June 2007, 05:36 PM
  5. HELP! Recovering Windows 2003 Admin password
    By crc-ict in forum Windows
    Replies: 7
    Last Post: 8th September 2006, 06:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •