Group Policy

[coch]

Is it possible to isolate a group of staff and specify a set of password rules for that group only?
whilst rest of domain is unaffected?
Default domain policy currently disabled and users currently reside in either one of two OU's

 

[buddafish]

Password policy is applied at the Domain Level only. So,, no you can't. Although, it may be possible to set all the password-less accounts to "never expire" and give them a worthless password like "1" or "a" BEFORE you create a password policy and then get the users you want policy applied to and set them to "change at next logon" , then set the policy, run secedit refresh policy /machine_policy on the DC, then reboot those clients, logon, update the password (now complex for these users) and you will have some with the policy and some with a most relaxed policy. No promises here, but i have seen legacy users with "no expire" get away without the password policy applying. and yes, they had worthless passwords "abcd" "1234" ect...

scottie

 

[coch]

so the password & lockout etc is done in the domain security policy, so when you make a change there its set across the entire domain?
SO its not like a GPwher you can block inheritance or override it?

 

[aftertaf]

in a word, yes.

if you configure these settings in a gpo on an OU, and not the domain, they will not be applied to the domain accounts, but just the local user accounts on each machine under the scope of the OU.

it IS a gpo, but these settings are applied at the domain level only, so even if you change settings elsewhere (on OUs), it will not be overridden... and for the blocking, i've never tried, but i imagine the security parts will not be blocked.
to be double sure, you can enforce the domain GPO to make it unblockable




Aftertaf
if its not broken, fix it anyway - with luck you might break it and have an excuse