Discussion:
How to over-ride domain group policy for password length, complexity, etc
(too old to reply)
Eric W. Holzapfel
2005-06-30 00:47:06 UTC
Permalink
Hello AD Experts,

I have a new installation of W2K3, I want to be able to override the
password policy set for the domain (the default out-of-the-box policy)
for passwords. I want a certain group of users to not have to have a
password to log in to the server. I have a OU for these users, and a
group policy defined, and a group. But the Policy will not override the
domain security policy. I would like to not change the default domain
security policy for the passwords (if this is indeed possible).

I thought that the hierarchy of policy application is the policy at the
OU level wins? Is there a way I can do this???

Thanks,

eric
Joe Richards [MVP]
2005-06-30 00:52:35 UTC
Permalink
You can not override domain account policy because it is applied to Domain
Controllers and the default domain partition. This impacts all users.

You can set it so certain users don't need passwords by flagging those accounts
in particular with password not required. You can't do this from the GUI you
will need to script it or otherwise modify the AD useraccountcontrol attribute
for the user's directly. See

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/ads_user_flag_enum.asp


for the proper values.

Having said that, having accounts without passwords is almost always an insanely
bad idea.


joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Eric W. Holzapfel
Hello AD Experts,
I have a new installation of W2K3, I want to be able to override the
password policy set for the domain (the default out-of-the-box policy)
for passwords. I want a certain group of users to not have to have a
password to log in to the server. I have a OU for these users, and a
group policy defined, and a group. But the Policy will not override the
domain security policy. I would like to not change the default domain
security policy for the passwords (if this is indeed possible).
I thought that the hierarchy of policy application is the policy at the
OU level wins? Is there a way I can do this???
Thanks,
eric
Todd J Heron
2005-06-30 00:59:02 UTC
Permalink
The standard answer is you can't do this. Password policies set at the
domain apply to all users in the domain. It overrides all other GPO
policies. You cannot make a "separate" domain password policy for a
different set of users in the same domain. You may try to put your subset
of users into an group and uncheck "Apply Group Policy" for this group in
the Security properties of the DDP.

And check this out.
http://www.anixis.com/products/ppe/
--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights
Loading...