Apply gpo only on one OU

windows group-policy windows-server-2012 password
9,623

Solution 1

You apply a GPO to an OU by simply linking to the GPO you've created at the appropriate level/OU in the Group Policy Management Console.

However, this will not work for what you're trying to do. GPOs pertaining to Password policies can only be set at the domain level. In order to apply a policy to a subset of domain users then you need to use Fine-Grained password policies.

These can be applied at the group level, so you need to ensure all the users you wish to affect with this new policy are a member of the appropriate group.

To do this on a Windows 2012 domain, do the following from a DC or Windows 8 workstation with RSAT installed:

  1. From the Start Screen type DSAC.EXE to start the Directory Service Administrative Center.
  2. Navigate to the System\Password Settings Container
  3. Right Click and select New or use New under the Tasks menu.
  4. Choose Password Settings

It's fairly self-explanatory from there.

If you're running on Windows 2008 or 2008R2 then you can still use Fine-Grained password policies, but it's not quite as easy to manage. To be honest, my advice at this level would be to think about upgrading but there are some guides around that might prove useful here too.

If your DCs are running an older version of Windows (or you're running newer DCs but the domain functional level hasn't been upgraded) then you've got no choice about upgrading at that point.

Solution 2

The regular password policy is special - there can only be one for the whole domain.

As of Server 2008, there are Fine-Grained Password Policies that can be used to set password requirements only for specific parts of the domain:

http://technet.microsoft.com/en-ca/library/cc770394(v=ws.10).aspx

Even then, you can't directly apply them to an OU. They apply only to users or groups - so you have to create a group with all the people you want it to apply to.

This page has an example powershell script that will run as a scheduled task and update the members of a group to include only the members of an OU. That will keep the group and OU in sync as you add/remove people from the OU.

Solution 3

Hoping that you have created the Fine grained password policy, In the GPMC console, you have to create a new GP under the OU where you want to apply the GP. Once you have defined he GP, select Link Enabled, if there are any Sub-OU's, you can select "Block Inheritance". So Ideally only the OU, where you have applied the GP will b linked. Secondly, if you want more than one OU To have the GP applied, you can select the OU and link existing GP fro the console.

Share:
9,623

Related videos on Youtube

Vinc 웃
Author by

Vinc 웃

Updated on September 18, 2022

Comments

  • Vinc 웃
    Vinc 웃 almost 2 years

    How can you create a GPO for only one Organizational Unit ?

    The GPO I want to create is pretty simple, it just set the minimal password length. Given that I don't want all the users to have the same password policy, I want to apply the GPO to only users that are inside a specific OU.

    I tried "Create a GPO in this domain, and link it here" directly on the OU, but it look like the GPO is not overriding the default one.

    Thank you.

  • Vinc 웃
    Vinc 웃 almost 10 years
    You are very good mister ! :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Disable metro on Windows Server 2012 RDS Session host with GPO?
Windows Server: what is the difference between Security Filtering (under the Scope tab) and the Delegation tab in Group Policy Management?
How to exclude a user from an applied password policy
How to change Windows Server 2012 password requirements when installing?
disable maximum password length on Windows Server
Why is this preventing me installing an MSI: The System Administrator has set policies to prevent this installation
How can I allow Domain Users to update printer drivers without any prompts?
How to unblock the program from the group policy in Android Studio for a Flutter application?
How to move/copy Windows 2003 Server scheduled task to Windows 2012 Server?
Why can't non-admin users install software?