Share via

block the domain controllers from inheritance of domain password policy

超 马 201 Reputation points
2021-03-01T06:01:42.947+00:00

Hello MSFT,

I have a question about domain password policy. I've learned that the domain password policy can be only configured at the domain level if you need to apply the policy to the domain user accounts. However Group Policy is executed by a domain controller with the role of PDC emulator. Here's the thing, if I block the domain controllers from inheritance, the domain password policy cannot be applied to the domain computers and domain users. In this case, is there a solution or workaround?

By the way, is fine-grained password policy executed by PDC emulator server as well?

Thanks in advance.

Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Client for IT Pros User experience Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-03-02T00:44:12.537+00:00

    Hi,
    The password policy from the default domain policy is enforced by the domain , it means that the password can't be blocked.
    The password policy is a computer policy, all the PCs in the domain will apply the policy. This means that all the users logon to the PCs within the domain will apply the password policy.
    If you deploy the fine-grained password policy for the specific users and groups, the fgpp will be executed .But fine-grained password policy can't be only deployed to users and global groups.
    For more information you can refer to :
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-policies
    https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-policy

    Best Regards,

    0 comments
  2. 超 马 201 Reputation points
    2021-03-02T02:51:16.287+00:00

    Hi FanFan,

    Thank you for the info but I think you didn't understand my questions. First of all, password policy is a part of Group Policy. And Group Policy is stored at SYSVOL folder, which will be copied to the PDC emulator server before distributing to the domain computers. So if I block the domain controllers from inheritance of GP/password policy/default domain policy at the domain level, the password policy won't be copied to the PDC emulator server. (At least in my test environment, it works like this.)

    Secondly, password policy at the OU level cannot be applied to domain users.

    73247-%E6%8D%95%E8%8E%B7.png
    73167-%E6%8D%95%E8%8E%B7.png

    So if the domain controllers is blocked from inheritance of the password policy, is there a workaround to apply the password policy to the domain computers? If FGPP is not distributed by PDC emulator server, I think it could be a workaround.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.