How to override the default domain password policy

Question

I have a Windows 2016 server as a domain controller. I tried to set a password policy to a dedicated OU, the ROSP shown the policy has been acquired successfully but it is not working. It still follow the password setting in the default domain policy.

Answer 1

Hi @CCMSS CCMSS , The password policy is applied at the domain level. If you want to configure a separate password policy for users, you need to use Fine Grained Password Policy. Refer https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy.

Answer 2

Hi,

All account policies settings (include the password policy) applied by using Group Policy are applied at the domain level.

Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).

As you tested ,If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.

You can use fine-grained password policies to specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.
For more details you can refer to :https://learn.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad

Best Regards,