Thursday, November 17, 2016

Different password policies for different OU's don't work


Problem: Different password policies for different OU’s don’t work.

Reason: Password Policy is a domain-policy and may only be applied at the top domain-level.

Solution: Enable FGPP (Fine Grain Password Policy) via ADSI (Active Directory Services Interface) Editor and Apply a new PSO (Password Settings Object) against a Security Group. Optionally, such a group can be made to sync memberships with members of an OU with the concept called “Shadow Group[ing]” which will require custom scripting to do so.

Awesome Resources to solve your problem:

Initial answer to why cannot use multiple GPO’s:

FGPP – Fine Grain password Policy:
LockoutDuration value = “(never)” for permanent lock.
PSO value documentation:
FGPP Documentation
FGPP on Win12 or PowerShell:

Shadow Group:

See your created PSO via commandline:
dsquery * "CN=Password Settings Container,CN=System,DC=NICHOLLS,DC=EDU" -attr *

See the effective PSO of a user:
dsget user <userDN> -effectivepso

Written with StackEdit. Don’t forget your FrontMatter.