How to override the default domain password policy

CCMSS CCMSS 1 Reputation point

I have a Windows 2016 server as a domain controller. I tried to set a password policy to a dedicated OU, the ROSP shown the policy has been acquired successfully but it is not working. It still follow the password setting in the default domain policy.

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
3,068 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Abhijeet-MSFT 531 Reputation points Microsoft Employee

    Hi @CCMSS CCMSS , The password policy is applied at the domain level. If you want to configure a separate password policy for users, you need to use Fine Grained Password Policy. Refer

    0 comments No comments

  2. Fan Fan 15,221 Reputation points


    All account policies settings (include the password policy) applied by using Group Policy are applied at the domain level.

    Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).

    As you tested ,If these policies are set at any level below the domain level in Active Directory Domain Services (AD DS), they affect only local accounts on member servers.

    You can use fine-grained password policies to specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.
    For more details you can refer to :

    Best Regards,