2

I have received a requirement that a single user needs to be excluded from the company's password policy (the CEO if you ask).

as such, I have tried the following with no success.

  1. I have copied the default domain password settings to a new object.
  2. I have enabled that new opbject to auhtenticated users.
  3. In the domain Password delegation settings, I have added the specific user, and in the: Apply check box - I set it to Deny enter image description here *should I also set the Deny Read option?

I can see that when the user logs in, gpresult shows that the Domain Password GP is applied, however, he still gets the same restrictions as the rest of the domain.

Q: What am I doing wrong? - : How can I exclude a user from a domain policy?

Much appreciate

Teddy
  • 5,204
  • 1
  • 23
  • 27
Saariko
  • 1,791
  • 14
  • 45
  • 75

1 Answers1

8

Windows Active Directory has two different styles of Password Policy:

  • One you set in Default Domain Policy (or another GPO linked to the domain root-object) that applies to everything without exception (2000-2008r2)
  • A Fine Grained Password Policy that allows you to set different policies to different groups complete with exceptions (2008-2008r2)

The first kind is rather difficult to work with because of the 'no exceptions' item. Special-snowflake users, like yours, can't be accommodated, and neither can certain critical utility users (like the user all the web-apps use for LDAP-binds). This is why Fine Grained Password Policies were born.

FGPG are not GPO based, they're applied through a different mechanism entirely. However, you do need to be at the Server 2008 functional-level to even use them at all. They can allow you to set a single password policy for all users except for a special group, and set a completely different policy for that one group. Or a different policy for each one of those special users. It even has a mechanism to handle policy overlaps to determine which policy will win when more than one could apply.

The Server 2000 style of applies-to-everyone password polciy can be hard to understand. It is set in one and only one place, a GPO linked to the domain root object. The settings were visible in any GPO, but they don't do anything when set in policies that are not linked to root.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • thanks. according to you: 1. as I work with 2k3 - this is not possible. 2. the password policy now ARE NOT ENFORCED? as they are not in the Default Domain Policy? Is this correct? – Saariko Nov 03 '11 at 12:07
  • @Saariko Turns out I was wrong (http://technet.microsoft.com/en-us/library/cc875814.aspx). The password settings only apply *to a GPO linked to the root of the domain*. – sysadmin1138 Nov 03 '11 at 15:44