question

EhsanShakeeb-3732 avatar image
0 Votes"
EhsanShakeeb-3732 asked LimitlessTechnology-2700 answered

Fine-Grained Password policy on OU and Password Never Expire

Hi,

I have two different question

  1. Can I apply fine-grained password policy to OU this OU is also synced with AZURE AD Connect


  2. In our existing AD there is no default password policy applied i would like to apply now the password policy for default domain policy but i would like to give exception for few users likewise for services users which is used for our ERP and few important users too.

if i set them password never expires to these users does new default domain policy override password never expire feature.

kindly advise

thanks......Ehsan


windows-active-directorywindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @EhsanShakeeb-3732

The answer to both questions depend on how you have configured your AD sync, if you have enabled PTA, then the answer to both questions are yes, as any password changes or logon are validated by the on-premise DC and FGPP will be honoured. You can exclude users and service accounts by setting the password to doesn't expire in the on-premise AD.

Gary.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

In order to use fine-grained passwords, your domain needs to be Windows Server 2008 Domain Functional Level or higher. This essentially means that all Domain Controllers in your domain need to be Windows Server 2008 or higher and the domain functional level raised to at least Windows Server 2008. Additional password policies are applied to users or groups, not OU’s.

Each PSO object has a setting called Password Settings Precedence. This value determines which PSO will be used when multiple PSO objects are being applied. The PSO with the lowest value will be used with the lowest value being 1. If there are multiple PSOs with the same Password Settings Precedence value then the PSO with the lowest GUID will be used. Every object in Active Directory has a unique GUID that acts as a serial number for the object, thus one PSO will always have a lower GUID.



--If the reply is helpful, please Upvote and Accept it as an answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.