[gptalk] Re: Difficulty applying policies

  • From: "mike kline" <mkline@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 11 Jan 2008 19:58:26 -0500

Password policies for domain accounts can't be set at the OU level.  That
policy is set at the domain level so your domain level policy is still being

There are some third party tools that may help you out if you want a
different policy.

Windows 2008 will allow you to use fine-grained passwords so Microsoft did
listen that we wanted this feature.  More info on that here:


On Jan 11, 2008 7:37 PM, Paul Manley <paul.manley@xxxxxxxxx> wrote:

> Simplified Scenario:  Executives can't remember their difficult
> passwords.  So we are going to let them use smaller non-complex passwords.
> Let us assume that this morning I setup Active Directory on a Windows 2003
> server with SP1, but no other updates and created a few users.
> I've installed the Group Policy Management snap-in and created a new Group
> Policy Object ( under the Group Policy Objects folder of our domain ) called
> "Exec Password Policy".
> I've set the [Computer Configuration]->[Windows Settings]->[Security
> Settings]->[Account Policies]->[Password Policies] to be less restrictive in
> "Exec Password Policy".
> I create a new Organizational Unit called "Executives" and place the users
> in there.
> Now I "Link an Existing GPO..." on my "Executives" OU selecting the
> "Executive Password Policy".
> I try to reset one of the Executives passwords, but I am not allowed:
> "Windows cannot complete the password change for Fred Executive because:
> The password does not meet the password policy requirements.  Check the
> minimum password length, password complexity and password history
> requirements."
> Those are exactly what I have just turned off.  Perhaps you could point
> out the error of my configuration.  I have setup a VM domain this morning to
> do testing.
>  - Paul -

Other related posts: