Windows Thread, Password Policy - 2003 in Technical; Is it possible to set different password policies for different OUs in AD in server 2003 or does the domain ...
7th October 2008, 09:22 AM #1
Password Policy - 2003
Is it possible to set different password policies for different OUs in AD in server 2003 or does the domain level group policy set all this. We are wanting to enforce tighter passwords for staff. I know that if we enable it for the whole domain the kids are going to find it hard to log on.
IDG Tech News
7th October 2008, 09:23 AM #2
Sorry, this one's at Domain level... one password policy fits all
7th October 2008, 09:27 AM #3
As elsiegee says, password policies are domain wide in Server 2003, so you either have to have a second domain or you could update to Server 2008 which allows multiple security policies.
7th October 2008, 09:37 AM #4
If i upgrade to 2008, will i only need to upgrade the one server for the Group Policy settings to be copied over or will i need to upgrade all the DCs to 2008?
7th October 2008, 09:57 AM #5
I'm not 100% sure. But I believe if you upgrade the main DC, the others have their schemas updated. The only issue would be the management tools, as 2008 has a new format of tools, compared to the old .msc files.
Originally Posted by timbo343
7th October 2008, 07:49 PM #6
Officially, and according to all available literature, you can only have one Password Policy per domain...
But.. I have seen an explanation of how to do this.. I can't find where it was now... google is failing me ...
It was something to do with changing the security on the domain level policy.
You have one that only staff can access, and another that only students can access, I think it means you can't have users in both groups.
I will have another look around, it may have been on a whitepaper I got from somewhere, so it'll be at work.
8th October 2008, 09:21 AM #7
Password policy is applied per domain, or per subdomain...
So you could theoretically create a subdomain for staff, and a subdomain for pupils and apply differing password policies there.
EG If your domain was myschool.com you could create students.myschool.com and apply a lax password policy here, and staff.myschool.com and create a strict passwoird policy here. Of course, the relavent users need to be located in the correct subdomains.
8th October 2008, 11:21 AM #8
As already mentioned you have two choices - running 2003 server, you can create a child domain which allows different password policies or alternatively 2008 server allows you to do this per OU.
If I had the choice, I would upgrade to 2008 server. A much simpler solution and more tools to play around with. I would highly recommend ALL servers run 2008, unless there's a specific reason you cannot do this?
15th October 2008, 08:39 AM #9
- Rep Power
For the password policies to be applied in Server 2008 the domain level needs to be raised to 2008, which you can't do whilst you have 2003 DCs.
I'm currently running at 2008 domain level and was an fairly painless upgrade process. Just make sure you test it a couple of times first in a VM.
15th October 2008, 09:38 AM #10
We have some middleware called Anexis Password Policy Enforcer - granular password policies that solves this problem on 2003+XP. The screenshots show Vista, but it does work.
15th October 2008, 09:51 AM #11
It's a bit costly! $1660 for 601 - 700 users!
Originally Posted by powdarrmonkey
By cookie_monster in forum Windows
Last Post: 18th May 2008, 04:46 PM
By Mr_M_Cox in forum Windows
Last Post: 7th April 2008, 12:42 PM
By tosca925 in forum Windows
Last Post: 13th June 2007, 09:28 PM
By tosca925 in forum Windows
Last Post: 5th June 2007, 06:36 PM
By crc-ict in forum Windows
Last Post: 8th September 2006, 07:40 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)