Shulou(Shulou.com)06/02 Report--

Group Policy configuration issu

Today, a buddy in the group encountered a problem. He needs to set a special password policy for some new administrative accounts. He imitated the settings in defaut domain policy, created a new one, and then applied it to the corresponding OU. It sounds like a reasonable operation, but it doesn't work.

A seemingly correct configuration does not work.

This problem actually involves how to fine-grained set a special password policy for some people in AD. In GPO, when you set a password policy, everyone is used to deploying it on the root node, or, more easily, modifying it directly in default domain policy. The fine-grained setup process is different. It is not modified in the group policy managment tool, but in ADSIEdit or Active Directory Administrative Center (ADAC).

Open the posture correctly:

Take ADSIEdit as an example:

Open ADSIEdit- > CN=SYSTEM- > CN=Password Settings Container, and select create a new Object

Take a name.

The prefix of this object to distinguish it from others (for example, if a user has applied more than N)

Number of password history

Whether to enable password complexity

Minimum password length

Minimum number of days of password

Maximum number of days of password

Failed to lock the account several times

Locked observation period

Locking length

End

Created object

Modify the msDS-PSOAppliesTo property

Just assign the corresponding security group.

test

After you are done, you can log in to a server and have a look, and you will be prompted to change the password. It is successful.

Finally, open it in ADAC and you can see the same configuration content.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.