November 17, 2016

Different password policies for different OU's don't work

lock

Problem: Different password policies for different OU’s don’t work.

Reason: Password Policy is a domain-policy and may only be applied at the top domain-level.
Solution: Enable FGPP (Fine Grain Password Policy) via ADSI (Active Directory Services Interface) Editor and Apply a new PSO (Password Settings Object) against a Security Group. Optionally, such a group can be made to sync memberships with members of an OU with the concept called “Shadow Group[ing]” which will require custom scripting to do so.

Awesome Resources to solve your problem:

Initial answer to why cannot use multiple GPO’s:
http://windowsitpro.com/security/q-can-i-apply-different-password-policy-two-different-active-directory-ad-organizational-un
FGPP – Fine Grain password Policy:
http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/
LockoutDuration value = “(never)” for permanent lock.
PSO value documentation: https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx
FGPP Documentation https://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx
FGPP on Win12 or PowerShell: http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
Shadow Group:
*** CONCISE PowerShell ShadowGroup Script: http://ravingroo.com/458/active-directory-shadow-group-automatically-add-ou-users-membership/     Modified with email https://gist.github.com/meoso/301f2e94306dcf2d3714c26ca5518932
http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomaticallyChangeGroupMembershipUsingScripts.htm
http://ahultgren.blogspot.com/2011/07/shadow-groups-in-active-directory.html
http://tookitaway.co.uk/ad-shadow-groups-with-windows-powershell-an-update/
https://github.com/davegreen/shadowGroupSync
Δ http://myitforum.com/myitforumwp/2012/05/08/creating-and-managing-shadow-groups/
See your created PSO via commandline:
dsquery * "CN=Password Settings Container,CN=System,DC=NICHOLLS,DC=EDU" -attr *
See the effective PSO of a user:
dsget user <userDN> -effectivepso

Please consider crypto tipping: