I am going to make this short and sweet. I want to not focus on the Password Policy settings and focus just on the deployment of the Password Policy in Active Directory. Here is the reality of the Password Policy in bullet format, for easier consumption:

  • The Password Policy for the domain is defined in the Default Domain Policy Group Policy Object (GPO) by default.

  • The Password Policy for the domain can be placed in any GPO linked to the domain node. These settings do not need to reside in ONLY the Default Domain Policy.

  • The Password Policy settings that have the highest priority (of those GPOs linked to the domain) will be the settings which are effective.

  • KEY POINT! Password Policy settings placed into GPOs linked to organizational units (OUs) do not effect domain user accounts. The Password Policy is a “Computer” based policy, not a “User” based policy, so the settings only effect computer objects, not user objects.

  • Password Policy settings placed into GPOs linked to OUs will affect the computers contained in the OUs, specifically the user accounts located in the security accounts managers (SAMs) of these computers.

  • Without using some other technology (e.g., fine-grained password policy by Microsoft or a third-party product) there can only be one Password Policy per domain.

  • The Password Policy linked to the root domain does not inherit down to child domains.

If you feel that any bullet above is incorrect, I challenge you to test all of your settings by trying to input passwords that would not meet the Password Policy that you feel you have in place. The technology has not changed since Windows 2000 came out. The only change that Microsoft has made to the Password Policy is the ability to create fine-grained password policy objects, which are not associated with Group Policy at all.

Create custom strong, OU/group-based password policies for Active Directory users.
Try ADSelfService Plus | Download Free Trial