Windows Server - Override Default Domain Policy - how??

Asked By Okramo on 21-Aug-07 04:45 AM

I've created OU "Testers". Opened "Testers" properties and at Group
Policy menu created Group Policy Object linked to OU "Testers".

There at GP Object I've changed setting required password complexity
and disabled it.

Also I've blocked Policy Inheritance to disable applying Default
Domain Policy to my OU "Testers", cause there in Default Domain Policy
I have password complexity configured which I don't want to assign to
OU "Testers".

My problem is that when I want to create user in OU "Testers" it
always warns me to use complex password, which is configured at
default domain policy. I can't create user with simple password what I
was planning to accomplish with creating Grup Policy Object for OU

How can I override default domain policy?
How can I assign custom group policy to specific OU?

Thank you for answers!

Mathieu CHATEAU replied on 21-Aug-07 04:58 AM
The account part is always read from the default domain gpo.
You cannot set this part elsewhere, this is domain wide.

Eric Denekamp replied on 21-Aug-07 05:39 AM
afaik you CAN do this by using group policy filtering, Thus you CAN create
different password policies in the same domain, the only thing is, you have
to circumvent this by creation, I think the easiest way of doing so will be:
create an account template for the testers, create a Security group called
testers, put the template in the group and specify on the default doman
policy that this policy is denied apply group policy to testers, (so testers
do not GET ANY setting in this policy)

(This is of the top of my head, if it works please report back,
theoretically it should)

Good luck

Eric Denekamp

Okramo replied on 21-Aug-07 08:34 AM
I've tried do the trick as you said, but I have the same thing
happening as before.

I found some info about my problem. In Win2k and Win2k3 you can have
just one Account and Password policy per domain.

This is some kind of limitation on Win2k and Win2k3 operating systems.
It should be fixed in next service pack or in next version of server

To use more Password and Acc policies I should create child domains
and apply policies on them.

If someone knows other solution or trick please write it.
Mathieu CHATEAU replied on 21-Aug-07 08:51 AM
I am sorry, but you cannot. Any trick to make it would be dirty and may lead
to issues.

Eric Denekamp replied on 21-Aug-07 09:15 AM
darn I remember a work around like this somewhere, but I cannot recall, I
know multiple password policies will be available in Server 2008.

sorry I cannot help you any further.

Good luck

Eric Denekamp

ANIXIS replied on 22-Aug-07 02:08 PM
There are only two ways to assign password policies by OU. Write your
own password filter, or buy a configurable one. MSDN has all the
details on how to write your own. Some people here advise against it
because of the risks involved. You'll need to make up your own mind on
this issue.

ANIXIS Password Policy Enforcer and Specops Password Policy can both
enforce policies by OU. I work for ANIXIS, so I will refrain from
making comments about either product here. Trial versions of both
products are available from their respective web sites.
Chris Hills replied on 24-Aug-07 08:54 PM

In a pre-server 2008 domain the only place in which the password
complexity group policy settings matter is to the ou containing the
domain controller holding the pdc emulator dsmo role. You cannot specify
different password policy for different ous unless you have a 2008 domain.


sulaiman mohammed replied on 15-May-08 04:02 PM
If we want to remove password complexity requirement for users u should want to move that computers to that OU to make this policy affect.

that policy comes under the COMPUTER CONFIGURATION policy not intended for USER Configuration