Override Default Domain Policy - how??

  • Thread starter Thread starter Okramo
  • Start date Start date
O

Okramo

Hi,

I've created OU "Testers". Opened "Testers" properties and at Group
Policy menu created Group Policy Object linked to OU "Testers".

There at GP Object I've changed setting required password complexity
and disabled it.

Also I've blocked Policy Inheritance to disable applying Default
Domain Policy to my OU "Testers", cause there in Default Domain Policy
I have password complexity configured which I don't want to assign to
OU "Testers".

My problem is that when I want to create user in OU "Testers" it
always warns me to use complex password, which is configured at
default domain policy. I can't create user with simple password what I
was planning to accomplish with creating Grup Policy Object for OU
"Testers".


How can I override default domain policy?
How can I assign custom group policy to specific OU?

Thank you for answers!
 
Hello,
The account part is always read from the default domain gpo.
You can't set this part elsewhere, this is domain wide.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Okramo" <okramo@gmail.com> wrote in message
news:1187685933.618016.294800@w3g2000hsg.googlegroups.com...
> Hi,
>
> I've created OU "Testers". Opened "Testers" properties and at Group
> Policy menu created Group Policy Object linked to OU "Testers".
>
> There at GP Object I've changed setting required password complexity
> and disabled it.
>
> Also I've blocked Policy Inheritance to disable applying Default
> Domain Policy to my OU "Testers", cause there in Default Domain Policy
> I have password complexity configured which I don't want to assign to
> OU "Testers".
>
> My problem is that when I want to create user in OU "Testers" it
> always warns me to use complex password, which is configured at
> default domain policy. I can't create user with simple password what I
> was planning to accomplish with creating Grup Policy Object for OU
> "Testers".
>
>
> How can I override default domain policy?
> How can I assign custom group policy to specific OU?
>
> Thank you for answers!
>
 
afaik you CAN do this by using group policy filtering, Thus you CAN create
different password policies in the same domain, the only thing is, you have
to circumvent this by creation, I think the easiest way of doing so will be:
create an account template for the testers, create a Security group called
testers, put the template in the group and specify on the default doman
policy that this policy is denied apply group policy to testers, (so testers
do not GET ANY setting in this policy)

(This is of the top of my head, if it works please report back,
theoretically it should)

--
Good luck

Eric Denekamp
http://blogs.infosupport.com/ericd

=============================
"Mathieu CHATEAU" <gollum123@free.fr> wrote in message
news:evhQjG94HHA.1184@TK2MSFTNGP04.phx.gbl...
> Hello,
> The account part is always read from the default domain gpo.
> You can't set this part elsewhere, this is domain wide.
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Okramo" <okramo@gmail.com> wrote in message
> news:1187685933.618016.294800@w3g2000hsg.googlegroups.com...
>> Hi,
>>
>> I've created OU "Testers". Opened "Testers" properties and at Group
>> Policy menu created Group Policy Object linked to OU "Testers".
>>
>> There at GP Object I've changed setting required password complexity
>> and disabled it.
>>
>> Also I've blocked Policy Inheritance to disable applying Default
>> Domain Policy to my OU "Testers", cause there in Default Domain Policy
>> I have password complexity configured which I don't want to assign to
>> OU "Testers".
>>
>> My problem is that when I want to create user in OU "Testers" it
>> always warns me to use complex password, which is configured at
>> default domain policy. I can't create user with simple password what I
>> was planning to accomplish with creating Grup Policy Object for OU
>> "Testers".
>>
>>
>> How can I override default domain policy?
>> How can I assign custom group policy to specific OU?
>>
>> Thank you for answers!
>>
>
 
I've tried do the trick as you said, but I have the same thing
happening as before.

I found some info about my problem. In Win2k and Win2k3 you can have
just one Account and Password policy per domain.

This is some kind of limitation on Win2k and Win2k3 operating systems.
It should be fixed in next service pack or in next version of server
system.

To use more Password and Acc policies I should create child domains
and apply policies on them.

If someone knows other solution or trick please write it.


> afaik you CAN do this by using group policy filtering, Thus you CAN create
> different password policies in the same domain, the only thing is, you have
> to circumvent this by creation, I think the easiest way of doing so will be:
> create an account template for the testers, create a Security group called
> testers, put the template in the group and specify on the default doman
> policy that this policy is denied apply group policy to testers, (so testers
> do not GET ANY setting in this policy)
>
> (This is of the top of my head, if it works please report back,
> theoretically it should)
>
> --
> Good luck
>
> Eric Denekamphttp://blogs.infosupport.com/ericd
>
 
I am sorry, but you can't. Any trick to make it would be dirty and may lead
to issues.


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Okramo" <okramo@gmail.com> wrote in message
news:1187699698.556093.259220@d55g2000hsg.googlegroups.com...
> I've tried do the trick as you said, but I have the same thing
> happening as before.
>
> I found some info about my problem. In Win2k and Win2k3 you can have
> just one Account and Password policy per domain.
>
> This is some kind of limitation on Win2k and Win2k3 operating systems.
> It should be fixed in next service pack or in next version of server
> system.
>
> To use more Password and Acc policies I should create child domains
> and apply policies on them.
>
> If someone knows other solution or trick please write it.
>
>
>> afaik you CAN do this by using group policy filtering, Thus you CAN
>> create
>> different password policies in the same domain, the only thing is, you
>> have
>> to circumvent this by creation, I think the easiest way of doing so will
>> be:
>> create an account template for the testers, create a Security group
>> called
>> testers, put the template in the group and specify on the default doman
>> policy that this policy is denied apply group policy to testers, (so
>> testers
>> do not GET ANY setting in this policy)
>>
>> (This is of the top of my head, if it works please report back,
>> theoretically it should)
>>
>> --
>> Good luck
>>
>> Eric Denekamphttp://blogs.infosupport.com/ericd
>>
>
 
darn I remember a work around like this somewhere, but I cannot recall, I
know multiple password policies will be available in Server 2008.

sorry I cannot help you any further.

--
Good luck

Eric Denekamp
http://blogs.infosupport.com/ericd

=============================
"Okramo" <okramo@gmail.com> wrote in message
news:1187699698.556093.259220@d55g2000hsg.googlegroups.com...
> I've tried do the trick as you said, but I have the same thing
> happening as before.
>
> I found some info about my problem. In Win2k and Win2k3 you can have
> just one Account and Password policy per domain.
>
> This is some kind of limitation on Win2k and Win2k3 operating systems.
> It should be fixed in next service pack or in next version of server
> system.
>
> To use more Password and Acc policies I should create child domains
> and apply policies on them.
>
> If someone knows other solution or trick please write it.
>
>
>> afaik you CAN do this by using group policy filtering, Thus you CAN
>> create
>> different password policies in the same domain, the only thing is, you
>> have
>> to circumvent this by creation, I think the easiest way of doing so will
>> be:
>> create an account template for the testers, create a Security group
>> called
>> testers, put the template in the group and specify on the default doman
>> policy that this policy is denied apply group policy to testers, (so
>> testers
>> do not GET ANY setting in this policy)
>>
>> (This is of the top of my head, if it works please report back,
>> theoretically it should)
>>
>> --
>> Good luck
>>
>> Eric Denekamphttp://blogs.infosupport.com/ericd
>>
>
 
On Aug 21, 10:34 pm, Okramo <okr...@gmail.com> wrote:
> I've tried do the trick as you said, but I have the same thing
> happening as before.
>
> I found some info about my problem. In Win2k and Win2k3 you can have
> just one Account and Password policy per domain.
>
> This is some kind of limitation on Win2k and Win2k3 operating systems.
> It should be fixed in next service pack or in next version of server
> system.
>
> To use more Password and Acc policies I should create child domains
> and apply policies on them.
>
> If someone knows other solution or trick please write it.
>
>
>
> > afaik you CAN do this by using group policy filtering, Thus you CAN create
> > different password policies in the same domain, the only thing is, you have
> > to circumvent this by creation, I think the easiest way of doing so will be:
> > create an account template for the testers, create a Security group called
> > testers, put the template in the group and specify on the default doman
> > policy that this policy is denied apply group policy to testers, (so testers
> > do not GET ANY setting in this policy)
>
> > (This is of the top of my head, if it works please report back,
> > theoretically it should)
>
> > --
> > Good luck
>
> > Eric Denekamphttp://blogs.infosupport.com/ericd- Hide quoted text -
>
> - Show quoted text -


There are only two ways to assign password policies by OU. Write your
own password filter, or buy a configurable one. MSDN has all the
details on how to write your own. Some people here advise against it
because of the risks involved. You'll need to make up your own mind on
this issue.

ANIXIS Password Policy Enforcer and Specops Password Policy can both
enforce policies by OU. I work for ANIXIS, so I will refrain from
making comments about either product here. Trial versions of both
products are available from their respective web sites.
 
Okramo wrote:
> Hi,
>
> I've created OU "Testers". Opened "Testers" properties and at Group
> Policy menu created Group Policy Object linked to OU "Testers".
>
> There at GP Object I've changed setting required password complexity
> and disabled it.
>
> Also I've blocked Policy Inheritance to disable applying Default
> Domain Policy to my OU "Testers", cause there in Default Domain Policy
> I have password complexity configured which I don't want to assign to
> OU "Testers".
>
> My problem is that when I want to create user in OU "Testers" it
> always warns me to use complex password, which is configured at
> default domain policy. I can't create user with simple password what I
> was planning to accomplish with creating Grup Policy Object for OU
> "Testers".
>
>
> How can I override default domain policy?
> How can I assign custom group policy to specific OU?
>
> Thank you for answers!

Hi

In a pre-server 2008 domain the only place in which the password
complexity group policy settings matter is to the ou containing the
domain controller holding the pdc emulator dsmo role. You cannot specify
different password policy for different ous unless you have a 2008 domain.

Regards

Chris
 
Back
Top