Password Policy - 70-411: Episode 23
-
In Episode 23 of the 70-411 course, it mentioned that to have fine grain password policies that you needed to set them in the AD Admin Center. I was wondering why can you not just make a new GPO with the new password settings and apply the OU and/or apply security filters so they only apply to specific groups. If you order the GPOs proper, won't that also adjust their password policy to them? Or is this because it is a Computer Configuration policy setting and not something that can be adjusted in the user config of a GPO?
-
Hey Christopher,
The reason we use the fine grained password policies, is because Active Directory will only read the password settings from policies linked at the domain level. You cannot set password settings using a GPO at lower levels, they will be ignored. PSO's were introduced in Server 2008. This finally gave us the ability to have multiple password policies in the same domain. Prior to this, in order to have different password policies, we would have to create separate domains.
Hope this answers your question, if not let me know and we can discuss it further.
Mike -
Sorry to beat a dead horse on this but I thought that it was recommended never to edit the default domain policy but just add new policies. If we need to change the password policy from something other than the default, should be creating a new GPO at the domain level or is this the exception where we would want to edit the default domain policy?
Also I noticed that if I mark an AD user object to have the password never to expire, that seems to override any password policy that is applied. Am I correct that any explicitly named password property to an AD user object overrides any setting otherwise applied to object through a policy?
Thanks again for your help clarifying this for me and the great work your team is doing.
Chris -
No worries here Chris, I love to talk about Active Directory! I'm going to recap some info that you probably already know for the benefit of others reading this thread.
There are two policies that get created when you install Active Directory. The Default Domain Policy and the Default Domain Controllers Policy. The Default Domain Policy contains the default password settings, account lockout settings and Kerberos settings for the domain, and is linked to the domain. The Default Domain Controllers Policy contains the default auditing settings for the domain controllers, and is linked to the domain controllers OU.
The recommendation is to use these policies for only those settings. So if you want to change the password, account lockout, or Kerberos settings then modify the Default Domain Policy. If you have other settings you want to apply to the domain, then create separate policies and link them to the domain. Likewise, if you want to change the auditing policy for your domain controllers, then modify the Default Domain Controllers Policy. If you have other settings you want to apply to your domain controllers, then create separate policies, and link them to the domain controllers OU.
There really is no harm in configuring other settings in these default policies, they will work just fine. The main benefit is to ensure these settings are only defined in one place. I've always been a fan of making multiple policies rather than one big policy containing all of the settings. It makes for a more flexible GPO infrastructure, and makes troubleshooting GPO issues easier.
Thanks for watching, and keep the questions coming!
Mike