Password Complexity in GPO

John · Guest

Hi Everyone,

If a GPO is applied to an OU and has the setting for 'Complex passwords'
enabled, what happens to the user (who previously did not have a complex
password) when the computer locks or restarts?

Are they required to change their password at next logon, or are they
prompted immediately to change it? Thanks in advance!

John Strohecker · Guest

In your specific scenario, nothing will happen. GP for password complexity
must be enabled at the domain level.

To answer your question though, if you change the pw policy for the domain I
am pretty sure your user will not have to change anything until their
password expires or they opt to change it. At that point they will need to
provide a new, complex password that matches the settings in your GPO.
--
John Strohecker, MCSE

"John" wrote:

Jorge Silva · Guest

Hi

If you want to apply "Complex Passwords" at domain level then you must
define them at Domain level.

If you want to apply "Complex Passwords" at local SAM Accounts level then
you can apply at OU level.
--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"John" <John@discussions.microsoft.com> wrote in message
news:5F2CBC9C-A1EC-4C25-89F2-9F7EE7AFEBD8@microsoft.com...

John Strohecker · Guest

Jorge,

Can you provide a link showing how this works? I ask because I am pretty
darn sure that password policies are defined at the domain level for all
systems. To have seperate security policies you have to create a subdomain
that has a different security policies. I am certain that this was a
question on at least two of the exams required for MCSE, but its always
possible something has changed since I tested.

You can change password complexity requirements for individual machines,
without creating a subdomain, but that will only apply to users logging on to
that specific box, and GPOs assigned at any level in AD wouldn't apply to
that. You would have to do it on each seperate box.

If I am wrong, please show me. I'd like to see it. Thanks -- John
--
John Strohecker, MCSE

"Jorge Silva" wrote:

Jorge Silva · Guest

Hi John

Just test it, you will see that when you define Password policies at OU
Level these policies are applied at local User SAM database.

Just make a simple OU, place there a computer to test, define at OU level a
different Password policie, reboot the computer, then try to create a local
account in that computer with different password policies that were defined
in GPO at OU level (You simple can't)

You can make a simple test:

GPO at Domain Level = Password must meet complexity requirements = Disabled.
GPO at OU Level = Password must meet complexity requirements = Enabled.

If you create a local user account with password 123, you'll see that fails
because the Password must meet complexity requirements, as defined in the
GPO at OU level.

However if you try to create a user account in AD you can define the
password without meet complexity requirements .

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator

"John Strohecker" <john.strohecker@diespammerdiegmail.com> wrote in message
news:7B6B5267-7CC7-4440-9431-ECF612F9407E@microsoft.com...