Announcement

Collapse
No announcement yet.

Conflicting GPO's on Different OU's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Conflicting GPO's on Different OU's

    I have a GPO on the Users OU that sets the password length to be 8 characters. However, on the workstation OU, the policy is set to 4 characters. How do I know which policy took precedent?

    Also, when I do GPResults, I only see the GPO’s set for the user, not workstation.

  • #2
    Re: Conflicting GPO's on Different OU's

    Two issues at hand:

    1) Password policy can only be linked to the domain object (to affect Domain Users). There can only be one password policy in the domain (with the exception of AD 2008 with Fine Grained Password Policies FGGP). If you create a GPO with password policy settings and apply it to an OU, it will affect the computer objects in the OU and the local users defined on those computers will be impacted.

    2) You cannot apply policy to either of these default system containers, Users and Computers.


    You may also be interested in knowing that GPOs have two configuration sections, one for Users and one for Computers. If you enable settings in the user section and link the GPO to an OU, the GPO settings will ONLY apply to the user objects in that OU. Same goes for computer settings, as they will only apply to computer objects in the OU.
    JM @ IT Training & Consulting
    http://www.itgeared.com

    Comment


    • #3
      Re: Conflicting GPO's on Different OU's

      I am not using the default OU's. We have one OU for Users called CorpUsers and another OU for workstations called CorpMachines. Each OU has a policy for passwords. The policy for CorpUsers has passwords set to 4 characters while the policy fr workstations have it set to 8.

      So now the user has two policies set since his machine has a policy and his user ID. Which one takes precedence?

      Comment


      • #4
        Re: Conflicting GPO's on Different OU's

        A password policy applied to the CorpUsers OU is not going to apply any settings to the user objects in that OU. First, look at the GPO settings. The password policy is contained in the computer configuration section. This policy cannot be applied to user objects. Link this policy to the domain object. linking it to the domain object will affect the all the domain users.

        Now the policy you applied to CorpMachines, WILL apply to the computer objects in that OU. However, the policy will affect the local accounts defined on those computers. It will not apply to any domain users logging on to those systems.

        If you want to apply different password policies for different groups of users, your only option at this time is to use FGPPs.

        So, I understand what you are trying to accomplish, but password policy doesnt work that way.
        JM @ IT Training & Consulting
        http://www.itgeared.com

        Comment


        • #5
          Re: Conflicting GPO's on Different OU's

          Ok, just to clarify, I am inheriting someone Else's design and need to understand what they did.

          So just to clarify, the password requirements are NOT send on users, but computers. Is that correct? So anything that is listed under Computer Configurations should be set on the Workstations OU and anything under User Configuration should be on the User's OU.

          In my case, I have two GPO's that are applied to the user & workstations and each GPO has assigned a password length. What you are saying is that since the GPO setting for passwords is under Computer Configurations it will never take place on a user's account or any account in that OU. The setting that was applied on the workstation GPO is the policy that will take effect.

          Comment


          • #6
            Re: Conflicting GPO's on Different OU's

            "What you are saying is that since the GPO setting for passwords is under Computer Configurations it will never take place on a user's account or any account in that OU." - That is correct. If you configure a GPO with computer settings, it will NOT apply to the user objects in that OU. It will only apply to the computer objects.


            When your intention is to apply password policies to users, the GPO must be linked to the domain object. Password policy will impact all domain users, not because the user objects are under the domain object in the hierarchy, but because the policy will be applied to the domain controllers which store domain users.

            If you apply a password policy at the OU level, it will be applied to the computers in the OU and will impact the local users defined on those computers.
            JM @ IT Training & Consulting
            http://www.itgeared.com

            Comment

            Working...
            X