RE: Group Policy: multiple password policies in the same domain?

Inline... 

> -----Original Message-----
> From: Beauford, Jason [mailto:jbeauford@EightInOnePet.com] 
>
> Domain Wide Password policies cannot be blocked by OU 
> Policies.

It's not a matter of blocking. It's a matter of where the accounts are
actually stored. AD accounts are stored in the *domain*, so that is the only
place where a password policy affects *domain* accounts. OUs are irrelevant
in that scenario.

>  With that in mind you should look at creating an 
> OU and setting up a GPO with Password Policies there rather 
> than on the top level domain.  Drop your service accounts 
> into the OU and they will take on the the applied GPO.

No, they won't. Moving the service account from one OU to another has no
affect. The account is still stored in AD and is still subject to the
*domain* password policy. Creating *local* accounts on the computer(s) in
question, then setting password policies on the OUs where the *computers*
reside, would work. However, it wouldn't meet the requirements of the
original poster.

> Because you have no other password policy set on the top 
> level domain name, your "other" users will be unaffected.

That is not the case. See above.

> I believe that should do it.  But then again.  I haven't 
> tested it or ever implemented it to confirm.  Check it out.

I have tested and implemented this stuff eight ways to Sunday, but I
encourage anybody who doesn't want to take my word for it to test for
himself/herself. :-)

Laura


---------------------------------------------------------------------------
---------------------------------------------------------------------------