How to override the default domain password policy

CCMSS CCMSS 1 Reputation point
2020-11-30T09:06:20.693+00:00

I have a Windows 2016 server as a domain controller. I tried to set a password policy to a dedicated OU, the ROSP shown the policy has been acquired successfully but it is not working. It still follow the password setting in the default domain policy.

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,011 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Abhijeet-MSFT 526 Reputation points Microsoft Employee
    2020-11-30T10:19:23.65+00:00

    Hi @CCMSS CCMSS , The password policy is applied at the domain level. If you want to configure a separate password policy for users, you need to use Fine Grained Password Policy. Refer https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy.

  2. Fan Fan 15,186 Reputation points
    2020-12-01T01:45:32.897+00:00

    Hi,

    All account policies settings (include the password policy) applied by using Group Policy are applied at the domain level.

    Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).

    As you tested ,If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.

    You can use fine-grained password policies to specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.
    For more details you can refer to :https://learn.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad

    Best Regards,