How to exclude a user from an applied password policy

windows domain group-policy password exclude
10,106

Windows Active Directory has two different styles of Password Policy:

  • One you set in Default Domain Policy (or another GPO linked to the domain root-object) that applies to everything without exception (2000-2008r2)
  • A Fine Grained Password Policy that allows you to set different policies to different groups complete with exceptions (2008-2008r2)

The first kind is rather difficult to work with because of the 'no exceptions' item. Special-snowflake users, like yours, can't be accommodated, and neither can certain critical utility users (like the user all the web-apps use for LDAP-binds). This is why Fine Grained Password Policies were born.

FGPG are not GPO based, they're applied through a different mechanism entirely. However, you do need to be at the Server 2008 functional-level to even use them at all. They can allow you to set a single password policy for all users except for a special group, and set a completely different policy for that one group. Or a different policy for each one of those special users. It even has a mechanism to handle policy overlaps to determine which policy will win when more than one could apply.

The Server 2000 style of applies-to-everyone password polciy can be hard to understand. It is set in one and only one place, a GPO linked to the domain root object. The settings were visible in any GPO, but they don't do anything when set in policies that are not linked to root.

Share:
10,106

Related videos on Youtube

Saariko
Author by

Saariko

Updated on September 18, 2022

Comments

  • Saariko
    Saariko almost 2 years

    I have received a requirement that a single user needs to be excluded from the company's password policy (the CEO if you ask).

    as such, I have tried the following with no success.

    1. I have copied the default domain password settings to a new object.
    2. I have enabled that new opbject to auhtenticated users.
    3. In the domain Password delegation settings, I have added the specific user, and in the: Apply check box - I set it to Deny enter image description here *should I also set the Deny Read option?

    I can see that when the user logs in, gpresult shows that the Domain Password GP is applied, however, he still gets the same restrictions as the rest of the domain.

    Q: What am I doing wrong? - : How can I exclude a user from a domain policy?

    Much appreciate

  • Saariko
    Saariko over 12 years
    thanks. according to you: 1. as I work with 2k3 - this is not possible. 2. the password policy now ARE NOT ENFORCED? as they are not in the Default Domain Policy? Is this correct?
  • Deb
    Deb over 12 years
    @Saariko Turns out I was wrong (technet.microsoft.com/en-us/library/cc875814.aspx). The password settings only apply to a GPO linked to the root of the domain.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Folder Redirection GPO setting desktop but not showing it
Group Policy to disable Printer Preferences
How can I disable account lockout policy for one user in a Windows domain
How to set group policy in windows server 2008 domain?
Apply gpo only on one OU
Let users install software without local administrator rights on domain
Windows 10 Hello on domain-joined computer - Credentials could not be verified
WMI Filter in GPO by UserName/UseGroup
How to decrypt files on a Windows domain, without user account password?
Give user permissions to change system time on Windows Server 2012 domain controller