block the domain controllers from inheritance of domain password policy

超 马 201 Reputation points
2021-03-01T06:01:42.947+00:00

Hello MSFT,

I have a question about domain password policy. I've learned that the domain password policy can be only configured at the domain level if you need to apply the policy to the domain user accounts. However Group Policy is executed by a domain controller with the role of PDC emulator. Here's the thing, if I block the domain controllers from inheritance, the domain password policy cannot be applied to the domain computers and domain users. In this case, is there a solution or workaround?

By the way, is fine-grained password policy executed by PDC emulator server as well?

Thanks in advance.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,932 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,060 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Fan Fan 15,306 Reputation points Microsoft Vendor
    2021-03-02T00:44:12.537+00:00

    Hi,
    The password policy from the default domain policy is enforced by the domain , it means that the password can't be blocked.
    The password policy is a computer policy, all the PCs in the domain will apply the policy. This means that all the users logon to the PCs within the domain will apply the password policy.
    If you deploy the fine-grained password policy for the specific users and groups, the fgpp will be executed .But fine-grained password policy can't be only deployed to users and global groups.
    For more information you can refer to :
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-policies
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy

    Best Regards,

    0 comments No comments

  2. 超 马 201 Reputation points
    2021-03-02T02:51:16.287+00:00

    Hi FanFan,

    Thank you for the info but I think you didn't understand my questions. First of all, password policy is a part of Group Policy. And Group Policy is stored at SYSVOL folder, which will be copied to the PDC emulator server before distributing to the domain computers. So if I block the domain controllers from inheritance of GP/password policy/default domain policy at the domain level, the password policy won't be copied to the PDC emulator server. (At least in my test environment, it works like this.)

    Secondly, password policy at the OU level cannot be applied to domain users.

    73247-%E6%8D%95%E8%8E%B7.png
    73167-%E6%8D%95%E8%8E%B7.png

    So if the domain controllers is blocked from inheritance of the password policy, is there a workaround to apply the password policy to the domain computers? If FGPP is not distributed by PDC emulator server, I think it could be a workaround.