A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords.
Strong passwords that are changed regularly reduce the likelihood of a successful password attack. This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain.
Fine-grained password policies apply only to user objects or inetOrgPerson objects if they are used instead of user objects and global security groups. To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group.
You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups. Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy except Kerberos settings in addition to account lockout settings.
Fine-grained password policies apply only to user objects or inetOrgPerson objects if they are used instead of user objects and global security groups. To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group.
You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups. Fine-grained password policies include attributes for all the settings that can be defined in the default domain policy except Kerberos settings in addition to account lockout settings.
When you specify a fine-grained password policy, you must specify all of these settings. Regardless, if what Justin says is accurate, even applying it at the computer level will not work.
Fine-Grained Password Policies is the only real way as pointed out by Justin and the OP itself ; OP is just looking for guidance as to how to accomplish this. I mean, I think I forgot the "precedence" parameter, though. That is required, that is what is used in the event that a user has multiple FGPPs applied to it. To continue this discussion, please ask a new question. Get answers from your peers along with millions of IT pros who visit Spiceworks. Hello all, I have a requirement for two, or ideally three different password policies for one domain.
Any insight would be much appreciated! Best Answer. Justin This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. The policy cannot be. In addition, please note that this posting is over 1 year old and has already been marked as answered. There is really no reason to add to this post unless new information is presented that can benefit the online community.
Office Office Exchange Server. Not an IT pro? Resources for IT Professionals. Sign in. United States English. Ask a question.
0コメント