Domain Password Policy

 

I can see very often that people ask questions about Domain Password Policy in Windows Server 2003 or Windows Server 2008/2008R2 that after they create new Group Policy (GPO) with password settings, it is not applied to computers.

That’s because in Active Directory you can only use one Group Policy with predefined password settings which by default are configured within “Default Domain” policy. When you want to modify these settings then you have to edit “Default Domain” policy and go to

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies ->Password Policy

Default password settings in “Default Domain” policy

all required options are available in this node. This is the same situation with Account Lockout settings which need to be also modified in the same policy under

Computer Configuration -> Policies -> Windows Settings -> Account Policies -> Account Lockout Policy

Default account lockout settings in “Default Domain” policy

When you will do changes there you can be sure that password policy would be applied within your environment.

Note! One more important thing! Password policy must be applied at domain level, so that’s why it is put within “Default Domain” policy by default. This is the only one GPO applied to all users/computers in a domain after Active Directory is created.

Domain Policy GPO link

Information! You can only use one password policy in a domain in “classic” way. However, when your domain functional level is at least Windows Server 2008 mode you are able to use Fine-Grained Password policies. More about this policies at Microsoft article

http://technet.microsoft.com/en-us/library/cc770394%28v=ws.10%29.aspx

In other case you need to create sub-domains (if different password policies are required) and migrate users and their computers into that sub-domain. Then you can apply another password policy settings.

To get more details about setting up “default domain password policy” and other tips related with this topic, please check that article on my blog at Setting default domain password policy

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

3 responses to “Domain Password Policy”

  1. Rencontre marié says :

    Pretty! Thiss has been an extremely wonderful post. Thank you for supplying these details.

     
  2. Jason Sujith says :

    Thank you, for your wonderfull post 🙂

     

Leave a Reply

Your email address will not be published. Required fields are marked *