This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello MSFT,
I have a question about domain password policy. I've learned that the domain password policy can be only configured at the domain level if you need to apply the policy to the domain user accounts. However Group Policy is executed by a domain controller with the role of PDC emulator. Here's the thing, if I block the domain controllers from inheritance, the domain password policy cannot be applied to the domain computers and domain users. In this case, is there a solution or workaround?
By the way, is fine-grained password policy executed by PDC emulator server as well?
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
The password policy from the default domain policy is enforced by the domain , it means that the password can't be blocked.
The password policy is a computer policy, all the PCs in the domain will apply the policy. This means that all the users logon to the PCs within the domain will apply the password policy.
If you deploy the fine-grained password policy for the specific users and groups, the fgpp will be executed .But fine-grained password policy can't be only deployed to users and global groups.
For more information you can refer to :
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-policies
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy
Best Regards,
Hi FanFan,
Thank you for the info but I think you didn't understand my questions. First of all, password policy is a part of Group Policy. And Group Policy is stored at SYSVOL folder, which will be copied to the PDC emulator server before distributing to the domain computers. So if I block the domain controllers from inheritance of GP/password policy/default domain policy at the domain level, the password policy won't be copied to the PDC emulator server. (At least in my test environment, it works like this.)
Secondly, password policy at the OU level cannot be applied to domain users.
So if the domain controllers is blocked from inheritance of the password policy, is there a workaround to apply the password policy to the domain computers? If FGPP is not distributed by PDC emulator server, I think it could be a workaround.
Hi,
Based on my test , if you block all the inheritance policies on the DCs, this will also effect the domain computers.
Then the local group policy on the member computers will effect the users' password .
Best Regards,