Password Policy question

[adfreek]

Hello,

We're trying to clarify an issue. We would like to implement a password policy (aging, resets, etc) in our domain. We're a single W2K3 domain running AD. We would like to set up multiple OU's and implement seperate password policies. Is this possible? Some people have said that these settings can only be applied at the Default Domain Policy level?

Thanks

 

[quell]

>We would like to set up multiple OU's and implement seperate password policies. Is this possible?

Yes, This is possible. Just like you said create different OU's

>Some people have said that these settings can only be applied at the Default Domain Policy level?

You can create multiple policies and apply them to whatever OU's you wish.

 

[bofhrevenge2]

I'm pretty sure you will find that password policy at OU level will only affect local user accounts, the only policy that can affect domain user accounts is the domain policy.

You can set policy at OU level but test it and you will find that they have no affect.

 

[PuterLuver]

It is only possible to have one password policy for DOMAIN users, and the policy must be set at the domain level.

 

[NickFerrar]

As others have said - password policy only applies at a domain level. MS are apparently working on allowing OU level policies but I wouldn't hold my breath.

If you have different policies at the OU level they'll just be ignored (although I've read there's also a bug so you may get an OU password policy applied domain-wide if you're not careful but I can't see how this would happen...).