How to exclude a user from an applied password policy
Windows Active Directory has two different styles of Password Policy:
- One you set in Default Domain Policy (or another GPO linked to the domain root-object) that applies to everything without exception (2000-2008r2)
- A Fine Grained Password Policy that allows you to set different policies to different groups complete with exceptions (2008-2008r2)
The first kind is rather difficult to work with because of the 'no exceptions' item. Special-snowflake users, like yours, can't be accommodated, and neither can certain critical utility users (like the user all the web-apps use for LDAP-binds). This is why Fine Grained Password Policies were born.
FGPG are not GPO based, they're applied through a different mechanism entirely. However, you do need to be at the Server 2008 functional-level to even use them at all. They can allow you to set a single password policy for all users except for a special group, and set a completely different policy for that one group. Or a different policy for each one of those special users. It even has a mechanism to handle policy overlaps to determine which policy will win when more than one could apply.
The Server 2000 style of applies-to-everyone password polciy can be hard to understand. It is set in one and only one place, a GPO linked to the domain root object. The settings were visible in any GPO, but they don't do anything when set in policies that are not linked to root.
Related videos on Youtube
Saariko
Updated on September 18, 2022Comments
-
Saariko almost 2 years
I have received a requirement that a single user needs to be excluded from the company's password policy (the CEO if you ask).
as such, I have tried the following with no success.
- I have copied the default domain password settings to a new object.
- I have enabled that new opbject to auhtenticated users.
- In the domain Password delegation settings, I have added the specific user, and in the: Apply check box - I set it to Deny
*should I also set the Deny Read option?
I can see that when the user logs in, gpresult shows that the Domain Password GP is applied, however, he still gets the same restrictions as the rest of the domain.
Q: What am I doing wrong? - : How can I exclude a user from a domain policy?
Much appreciate
-
Saariko over 12 yearsthanks. according to you: 1. as I work with 2k3 - this is not possible. 2. the password policy now ARE NOT ENFORCED? as they are not in the Default Domain Policy? Is this correct?
-
Deb over 12 years@Saariko Turns out I was wrong (technet.microsoft.com/en-us/library/cc875814.aspx). The password settings only apply to a GPO linked to the root of the domain.