Domain Password Policy
I can see very often that people ask questions about Domain Password Policy in Windows Server 2003 or Windows Server 2008/2008R2 that after they create new Group Policy (GPO) with password settings, it is not applied to computers.
That’s because in Active Directory you can only use one Group Policy with predefined password settings which by default are configured within “Default Domain” policy. When you want to modify these settings then you have to edit “Default Domain” policy and go to
“Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies ->Password Policy“
all required options are available in this node. This is the same situation with Account Lockout settings which need to be also modified in the same policy under
“Computer Configuration -> Policies -> Windows Settings -> Account Policies -> Account Lockout Policy“
When you will do changes there you can be sure that password policy would be applied within your environment.
Note! One more important thing! Password policy must be applied at domain level, so that’s why it is put within “Default Domain” policy by default. This is the only one GPO applied to all users/computers in a domain after Active Directory is created.
Information! You can only use one password policy in a domain in “classic” way. However, when your domain functional level is at least Windows Server 2008 mode you are able to use Fine-Grained Password policies. More about this policies at Microsoft article
In other case you need to create sub-domains (if different password policies are required) and migrate users and their computers into that sub-domain. Then you can apply another password policy settings.
To get more details about setting up “default domain password policy” and other tips related with this topic, please check that article on my blog at Setting default domain password policy
Author: Krzysztof Pytko