110V Soldering Iron Kit
[ I WANT THIS ↑↑↑ Please use this affiliate linked image ]

Thursday, November 17, 2016

Different password policies for different OU's don't work


Problem: Different password policies for different OU’s don’t work.

Reason: Password Policy is a domain-policy and may only be applied at the top domain-level.
Solution: Enable FGPP (Fine Grain Password Policy) via ADSI (Active Directory Services Interface) Editor and Apply a new PSO (Password Settings Object) against a Security Group. Optionally, such a group can be made to sync memberships with members of an OU with the concept called “Shadow Group[ing]” which will require custom scripting to do so.

Awesome Resources to solve your problem:

Initial answer to why cannot use multiple GPO’s:
FGPP – Fine Grain password Policy:
LockoutDuration value = “(never)” for permanent lock.
PSO value documentation: https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx
FGPP Documentation https://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx
FGPP on Win12 or PowerShell: http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/
Shadow Group:
*** CONCISE PowerShell ShadowGroup Script: http://ravingroo.com/458/active-directory-shadow-group-automatically-add-ou-users-membership/     Modified with email https://gist.github.com/meoso/301f2e94306dcf2d3714c26ca5518932
Δ http://myitforum.com/myitforumwp/2012/05/08/creating-and-managing-shadow-groups/
See your created PSO via commandline:
dsquery * "CN=Password Settings Container,CN=System,DC=NICHOLLS,DC=EDU" -attr *
See the effective PSO of a user:
dsget user <userDN> -effectivepso
Written with StackEdit. Don’t forget your FrontMatter.

No comments:

Post a Comment

Comments, Suggestions or "Thank you's" Invited! If you have used this info in any way, please comment below and link/link-back to your project (if applicable). Please Share.
I accept Bitcoin tips of ANY amount to: 1GS3XWJCTWU7fnM4vfzerrVAxmnMFnhysL
I accept Litecoin tips of ANY amount to: LTBvVxRdv2Lz9T41UzqNrAVVNw4wz3kKYk