One of the most frustrating aspects that accompany the lives of network administrators in the domain Active Directory Windows 2000 and Windows 2003 is the inability to create different security policies on the characteristics of passwords of users, groups and differentiating them by type of use. You can not have groups with more restrictive policy on passwords or user groups that have specific policies about passwords and synchronized with other data sources. Currently, you can create one and only one password policy, specified in the Default Domain Policy, and that applies throughout the domain, regardless. In fact, the graphical interface of the current Group Policy Management Console is misleading. If we try, for example, to create a new password policy level we have created an OU in our domain and which contains some user accounts and computer accounts, everything seems to work well and do not receive any error message. But in reality it is not. The only real force in the password policy is set at the domain level. The creation of a different password policy enforcement at the OU only affects user accounts that log on locally to the machines contained in the OU in question, has no effect on user accounts that regularly access the Active Directory domain.
Bookmarks