Q: Can I apply a different password policy to two different Active Directory (AD) organizational units (OUs)?

A: No, AD doesn't support different password policies on different OUs -- but you can use a workaround that calls on shadow groups, which I'll explain. In Windows Server 2008, Microsoft introduced fine-grained password policies that let administrators apply different password policies to AD user and global security group objects. However, fine-grained password policies can't be applied to an AD OU.

As a workaround, you can use shadow groups to apply a fine-grained password policy to the users that are contained in an OU. A shadow group is a global security group that you "logically map" (meaning that the mapping doesn't require AD configuration changes) to an OU to enforce a fine-grained password policy. To ease administration, you should align shadow group naming with your OU naming scheme.

When using shadow groups, you create a global security group for each OU where you want to apply another password policy and add the users that are in the OUs as members of the newly created shadow groups. You can then apply different fine-grained password policies to the different shadow groups. Keep in mind that when using shadow groups, if you move a user from one OU to another, you'll also need to update the membership of the corresponding shadow groups

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.