Share via

Active directory password - additional policy

Step to IT 125 Reputation points
2024-04-10T10:04:47.7433333+00:00

Hello!

Can you tell me please, do I understand correctly that, as it was before and is still the case, it is impossible to configure different password policies for PCs and users in the AD domain via group policy (gpmc / gpedit)?

Even if you create a new OU and target it with a new policy with password settings, the new data will be displayed, but will not actually be applied, is that right? And the only working option for creating different password requirements - is FGPP

And what will happen if the “Domain password settings” policy is applied on the domain, indicating the necessary settings, and another policy is applied on the OU with DC, like “Domain Controller password settings”? Which settings will be applied and will there be any difference at all from the second policy for DC?

Windows for business Windows Client for IT Pros Directory services Active Directory
0 comments
Accepted answer
  1. Anonymous
    2024-04-11T01:50:04.17+00:00

    Hello Step to IT,

    Thank you for posting in Q&A forum.

    it is impossible to configure different password policies for PCs and users in the AD domain via group policy (gpmc / gpedit)?
    A1: Yes, based on my knowledge, I think so.

    Even if you create a new OU and target it with a new policy with password settings, the new data will be displayed, but will not actually be applied, is that right? And the only working option for creating different password requirements - is FGPP

    A2: Yes. If you want to configure one password policy different than default domain password policy, you can configure FGPP.

    And what will happen if the “Domain password settings” policy is applied on the domain, indicating the necessary settings, and another policy is applied on the OU with DC, like “Domain Controller password settings”? Which settings will be applied and will there be any difference at all from the second policy for DC?
    A3: Password policy within "Default Domain Policy" will be applied (in my test).

    FGPP is applied to users or groups. Default domain policy is applied to domain-joined computers.

    For the same users or groups, if there is a default domain password policy and FGPP is applied, the priority of FGPP is higher than the default domain password policy.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 49,640 Reputation points MVP Volunteer Moderator
    2024-04-10T10:17:55.6766667+00:00

    Not exactly.

    The password policy defined in the Default Domain Policy GPO applies by default to domain accounts and local accounts on domain-joined computers.

    You can modify the password policy of local accounts on domain-joined computers by using GPOs linked to OUs where the domain-joined computers reside.

    You can modify the password policy of individual domain accounts by using FGPP

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.