I want to create a new password policy in the domain, but i don't want to apply it on the whole domain one time i.e: I want to apply it on different OUs (today on IT OU the next day finance ...etc)

My questions are :

1) as the password policies are in computer configuration should i move the computer accounts of the targeted users from computers container to their OU to apply  the policy or will it be enough to move the users only?

2) should i create a linked policy for each ou or what??

Thanks

Hi

 You could configure Fine-Grained Password Policies to define different password and account lockout policies for different sets of users in a domain,

Check these artilcles about Fine-Grained Password Policies

https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

http://blogs.technet.com/b/meamcs/archive/2012/05/29/creating-fine-grained-password-policies-through-gui-windows-server-2012-server-8-beta.aspx

Hello,

1. this will not work for the domain. Password policyand account lockout policy MUST be set on domain level. Youcan use already mentioned FGPP for user accounts and security groups, NOT OUs!!!, to have a different set of settings.

2. as stated above security groups must be used or user accounts.In your case create a so called shadow group, a security group containing all user accounts where you need a different set of settingsfor. With this one configure the FGPP.

The problem with the FGPP is that our domain functional level is 2003, which doesn't support fgpp
is there any other way to do this

Am 13.09.2015 schrieb Ibra86:
Hi,

The problem with the FGPP is that our domain functional level is 2003, which doesn't support fgpp
is there any other way to do this

Than you should upgrade to a higher level if possible. Otherwise you can buy products like:
http://www.nfrontsecurity.com/
or
http://www.specopssoft.com/product/specops-password-policy/

HTH
N

"The problem with the FGPP is that our domain functional level is 2003, which doesn't support fgpp
is there any other way to do this"

As you have stated you are on 2003 funcitonal level so this will not work. Natively, the only other way you can have different password policies for different accounts in a 2003 domain is by creating a new child domain where you can then set another password policy for users in the Child domain which differ from the parent domain.

Personall it is much easier and "supported" to upgrade to 2008 which will then give you the feature of FGPP after you rasie the domain functional level of 2008 or higher.

Will.

The problem with the FGPP is that our domain functional level is 2003, which doesn't support fgpp
is there any other way to do this

Hello,

no, not with builtin option. There may exist some 3rd party tools that bring the functions.

But as Windows Server 2003 is out of support now, go on with new the OS version and all its advantages.