Problem: Different password policies for different OU’s don’t work.Reason: Password Policy is a domain-policy and may only be applied at the top domain-level.
Solution: Enable FGPP (Fine Grain Password Policy) via ADSI (Active Directory Services Interface) Editor and Apply a new PSO (Password Settings Object) against a Security Group. Optionally, such a group can be made to sync memberships with members of an OU with the concept called “Shadow Group[ing]” which will require custom scripting to do so.
Awesome Resources to solve your problem:Initial answer to why cannot use multiple GPO’s:
FGPP – Fine Grain password Policy:
LockoutDuration value = “(never)” for permanent lock.
PSO value documentation: https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx
FGPP Documentation https://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx
FGPP on Win12 or PowerShell: http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
*** CONCISE PowerShell ShadowGroup Script: http://ravingroo.com/458/active-directory-shadow-group-automatically-add-ou-users-membership/ Modified with email https://gist.github.com/meoso/301f2e94306dcf2d3714c26ca5518932
See your created PSO via commandline:
dsquery * "CN=Password Settings Container,CN=System,DC=NICHOLLS,DC=EDU" -attr *
See the effective PSO of a user:
dsget user <userDN> -effectivepso
Written with StackEdit. Don’t forget your FrontMatter.