Guest Okramo Posted August 21, 2007 Posted August 21, 2007 Hi, I've created OU "Testers". Opened "Testers" properties and at Group Policy menu created Group Policy Object linked to OU "Testers". There at GP Object I've changed setting required password complexity and disabled it. Also I've blocked Policy Inheritance to disable applying Default Domain Policy to my OU "Testers", cause there in Default Domain Policy I have password complexity configured which I don't want to assign to OU "Testers". My problem is that when I want to create user in OU "Testers" it always warns me to use complex password, which is configured at default domain policy. I can't create user with simple password what I was planning to accomplish with creating Grup Policy Object for OU "Testers". How can I override default domain policy? How can I assign custom group policy to specific OU? Thank you for answers!
Guest Mathieu CHATEAU Posted August 21, 2007 Posted August 21, 2007 Re: Override Default Domain Policy - how?? Hello, The account part is always read from the default domain gpo. You can't set this part elsewhere, this is domain wide. -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Okramo" <okramo@gmail.com> wrote in message news:1187685933.618016.294800@w3g2000hsg.googlegroups.com... > Hi, > > I've created OU "Testers". Opened "Testers" properties and at Group > Policy menu created Group Policy Object linked to OU "Testers". > > There at GP Object I've changed setting required password complexity > and disabled it. > > Also I've blocked Policy Inheritance to disable applying Default > Domain Policy to my OU "Testers", cause there in Default Domain Policy > I have password complexity configured which I don't want to assign to > OU "Testers". > > My problem is that when I want to create user in OU "Testers" it > always warns me to use complex password, which is configured at > default domain policy. I can't create user with simple password what I > was planning to accomplish with creating Grup Policy Object for OU > "Testers". > > > How can I override default domain policy? > How can I assign custom group policy to specific OU? > > Thank you for answers! >
Guest Eric Denekamp Posted August 21, 2007 Posted August 21, 2007 Re: Override Default Domain Policy - how?? afaik you CAN do this by using group policy filtering, Thus you CAN create different password policies in the same domain, the only thing is, you have to circumvent this by creation, I think the easiest way of doing so will be: create an account template for the testers, create a Security group called testers, put the template in the group and specify on the default doman policy that this policy is denied apply group policy to testers, (so testers do not GET ANY setting in this policy) (This is of the top of my head, if it works please report back, theoretically it should) -- Good luck Eric Denekamp http://blogs.infosupport.com/ericd ============================= "Mathieu CHATEAU" <gollum123@free.fr> wrote in message news:evhQjG94HHA.1184@TK2MSFTNGP04.phx.gbl... > Hello, > The account part is always read from the default domain gpo. > You can't set this part elsewhere, this is domain wide. > > > -- > Cordialement, > Mathieu CHATEAU > http://lordoftheping.blogspot.com > > > "Okramo" <okramo@gmail.com> wrote in message > news:1187685933.618016.294800@w3g2000hsg.googlegroups.com... >> Hi, >> >> I've created OU "Testers". Opened "Testers" properties and at Group >> Policy menu created Group Policy Object linked to OU "Testers". >> >> There at GP Object I've changed setting required password complexity >> and disabled it. >> >> Also I've blocked Policy Inheritance to disable applying Default >> Domain Policy to my OU "Testers", cause there in Default Domain Policy >> I have password complexity configured which I don't want to assign to >> OU "Testers". >> >> My problem is that when I want to create user in OU "Testers" it >> always warns me to use complex password, which is configured at >> default domain policy. I can't create user with simple password what I >> was planning to accomplish with creating Grup Policy Object for OU >> "Testers". >> >> >> How can I override default domain policy? >> How can I assign custom group policy to specific OU? >> >> Thank you for answers! >> >
Guest Okramo Posted August 21, 2007 Posted August 21, 2007 Re: Override Default Domain Policy - how?? I've tried do the trick as you said, but I have the same thing happening as before. I found some info about my problem. In Win2k and Win2k3 you can have just one Account and Password policy per domain. This is some kind of limitation on Win2k and Win2k3 operating systems. It should be fixed in next service pack or in next version of server system. To use more Password and Acc policies I should create child domains and apply policies on them. If someone knows other solution or trick please write it. > afaik you CAN do this by using group policy filtering, Thus you CAN create > different password policies in the same domain, the only thing is, you have > to circumvent this by creation, I think the easiest way of doing so will be: > create an account template for the testers, create a Security group called > testers, put the template in the group and specify on the default doman > policy that this policy is denied apply group policy to testers, (so testers > do not GET ANY setting in this policy) > > (This is of the top of my head, if it works please report back, > theoretically it should) > > -- > Good luck > > Eric Denekamphttp://blogs.infosupport.com/ericd >
Guest Mathieu CHATEAU Posted August 21, 2007 Posted August 21, 2007 Re: Override Default Domain Policy - how?? I am sorry, but you can't. Any trick to make it would be dirty and may lead to issues. -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Okramo" <okramo@gmail.com> wrote in message news:1187699698.556093.259220@d55g2000hsg.googlegroups.com... > I've tried do the trick as you said, but I have the same thing > happening as before. > > I found some info about my problem. In Win2k and Win2k3 you can have > just one Account and Password policy per domain. > > This is some kind of limitation on Win2k and Win2k3 operating systems. > It should be fixed in next service pack or in next version of server > system. > > To use more Password and Acc policies I should create child domains > and apply policies on them. > > If someone knows other solution or trick please write it. > > >> afaik you CAN do this by using group policy filtering, Thus you CAN >> create >> different password policies in the same domain, the only thing is, you >> have >> to circumvent this by creation, I think the easiest way of doing so will >> be: >> create an account template for the testers, create a Security group >> called >> testers, put the template in the group and specify on the default doman >> policy that this policy is denied apply group policy to testers, (so >> testers >> do not GET ANY setting in this policy) >> >> (This is of the top of my head, if it works please report back, >> theoretically it should) >> >> -- >> Good luck >> >> Eric Denekamphttp://blogs.infosupport.com/ericd >> >
Guest Eric Denekamp Posted August 21, 2007 Posted August 21, 2007 Re: Override Default Domain Policy - how?? darn I remember a work around like this somewhere, but I cannot recall, I know multiple password policies will be available in Server 2008. sorry I cannot help you any further. -- Good luck Eric Denekamp http://blogs.infosupport.com/ericd ============================= "Okramo" <okramo@gmail.com> wrote in message news:1187699698.556093.259220@d55g2000hsg.googlegroups.com... > I've tried do the trick as you said, but I have the same thing > happening as before. > > I found some info about my problem. In Win2k and Win2k3 you can have > just one Account and Password policy per domain. > > This is some kind of limitation on Win2k and Win2k3 operating systems. > It should be fixed in next service pack or in next version of server > system. > > To use more Password and Acc policies I should create child domains > and apply policies on them. > > If someone knows other solution or trick please write it. > > >> afaik you CAN do this by using group policy filtering, Thus you CAN >> create >> different password policies in the same domain, the only thing is, you >> have >> to circumvent this by creation, I think the easiest way of doing so will >> be: >> create an account template for the testers, create a Security group >> called >> testers, put the template in the group and specify on the default doman >> policy that this policy is denied apply group policy to testers, (so >> testers >> do not GET ANY setting in this policy) >> >> (This is of the top of my head, if it works please report back, >> theoretically it should) >> >> -- >> Good luck >> >> Eric Denekamphttp://blogs.infosupport.com/ericd >> >
Guest ANIXIS Posted August 22, 2007 Posted August 22, 2007 Re: Override Default Domain Policy - how?? On Aug 21, 10:34 pm, Okramo <okr...@gmail.com> wrote: > I've tried do the trick as you said, but I have the same thing > happening as before. > > I found some info about my problem. In Win2k and Win2k3 you can have > just one Account and Password policy per domain. > > This is some kind of limitation on Win2k and Win2k3 operating systems. > It should be fixed in next service pack or in next version of server > system. > > To use more Password and Acc policies I should create child domains > and apply policies on them. > > If someone knows other solution or trick please write it. > > > > > afaik you CAN do this by using group policy filtering, Thus you CAN create > > different password policies in the same domain, the only thing is, you have > > to circumvent this by creation, I think the easiest way of doing so will be: > > create an account template for the testers, create a Security group called > > testers, put the template in the group and specify on the default doman > > policy that this policy is denied apply group policy to testers, (so testers > > do not GET ANY setting in this policy) > > > (This is of the top of my head, if it works please report back, > > theoretically it should) > > > -- > > Good luck > > > Eric Denekamphttp://blogs.infosupport.com/ericd- Hide quoted text - > > - Show quoted text - There are only two ways to assign password policies by OU. Write your own password filter, or buy a configurable one. MSDN has all the details on how to write your own. Some people here advise against it because of the risks involved. You'll need to make up your own mind on this issue. ANIXIS Password Policy Enforcer and Specops Password Policy can both enforce policies by OU. I work for ANIXIS, so I will refrain from making comments about either product here. Trial versions of both products are available from their respective web sites.
Guest Chris Hills Posted August 25, 2007 Posted August 25, 2007 Re: Override Default Domain Policy - how?? Okramo wrote: > Hi, > > I've created OU "Testers". Opened "Testers" properties and at Group > Policy menu created Group Policy Object linked to OU "Testers". > > There at GP Object I've changed setting required password complexity > and disabled it. > > Also I've blocked Policy Inheritance to disable applying Default > Domain Policy to my OU "Testers", cause there in Default Domain Policy > I have password complexity configured which I don't want to assign to > OU "Testers". > > My problem is that when I want to create user in OU "Testers" it > always warns me to use complex password, which is configured at > default domain policy. I can't create user with simple password what I > was planning to accomplish with creating Grup Policy Object for OU > "Testers". > > > How can I override default domain policy? > How can I assign custom group policy to specific OU? > > Thank you for answers! Hi In a pre-server 2008 domain the only place in which the password complexity group policy settings matter is to the ou containing the domain controller holding the pdc emulator dsmo role. You cannot specify different password policy for different ous unless you have a 2008 domain. Regards Chris
Guest sulaiman mohammed Posted May 15, 2008 Posted May 15, 2008 Override Default Domain Policy - how?? If we want to remove password complexity requirement for users u should want to move that computers to that OU to make this policy affect. that policy comes under the COMPUTER CONFIGURATION policy not intended for USER Configuration
Guest Meinolf Weber Posted May 15, 2008 Posted May 15, 2008 Re: Override Default Domain Policy - how?? Hello sulaiman, If you are talking about a PRE-2008 domain, then you have one password policy on DOMAIN level. So you can just configure it there and it is for the complete domain. If you just will remove the complexity part you have to set it under computer configuration, that's the place where the password policy has to be set, nowhere else. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > If we want to remove password complexity requirement for users u > should want to move that computers to that OU to make this policy > affect. > > that policy comes under the COMPUTER CONFIGURATION policy not intended > for USER Configuration >
Recommended Posts