Thursday, November 17, 2016

Different password policies for different OU's don't work


Problem: Different password policies for different OU’s don’t work.

Reason: Password Policy is a domain-policy and may only be applied at the top domain-level.
Solution: Enable FGPP (Fine Grain Password Policy) via ADSI (Active Directory Services Interface) Editor and Apply a new PSO (Password Settings Object) against a Security Group. Optionally, such a group can be made to sync memberships with members of an OU with the concept called “Shadow Group[ing]” which will require custom scripting to do so.

Awesome Resources to solve your problem:

Initial answer to why cannot use multiple GPO’s:
FGPP – Fine Grain password Policy:
LockoutDuration value = “(never)” for permanent lock.
PSO value documentation:
FGPP Documentation
FGPP on Win12 or PowerShell:
Shadow Group:
*** CONCISE PowerShell ShadowGroup Script:     Modified with email
See your created PSO via commandline:
dsquery * "CN=Password Settings Container,CN=System,DC=NICHOLLS,DC=EDU" -attr *
See the effective PSO of a user:
dsget user <userDN> -effectivepso
Written with StackEdit. Don’t forget your FrontMatter.

No comments:

Post a Comment

Comments, Suggestions or "Thank you's" Invited! If you have used this info in any way, please comment below and link/link-back to your project (if applicable). Please Share.
I accept Bitcoin tips of ANY amount to: 1GS3XWJCTWU7fnM4vfzerrVAxmnMFnhysL
I accept Litecoin tips of ANY amount to: LTBvVxRdv2Lz9T41UzqNrAVVNw4wz3kKYk