Granted we’re quite new to AD, but I thought I had this right.
We’ve set the Default Domain Policy to enforce password complexity and length for our single domain. The Default Domain Policy GPO is NOT “Enforced”. I have a set of user and service accounts that I need to have exempt from the password settings, so I created an OU called “Exempt” on which I’ve blocked inheritance. Checking the Group Policy Inheritance tab for the OU “Exempt” in the GPMC confirms no inherited GPOs, and there are no GPOs whatsoever linked to this OU. I’ve replicated from the DC that holds most of the FSMO roles to the other 2 DC’s (we’re in mixed mode).
My problem is that I cannot set a “simple” password (4 characters, all upper case) that doesn’t meet the otherwise domain-wide complexity/length settings for a user account in the “Exempt” OU.
Are the password settings unblockable when set by the Default Domain Policy? Should I not set password complexity in the Default Domain Policy, and instead setup a separate GPO at the domain root for passwords? Would I then be able to block inheritance of the password policy for our “Exempt” OU? At a broader level, assuming it’s supposed to be blockable, is blocking the Default Domain Policy a good idea in the first place?
Thanks in advance, and my apoligies if this these are really lame questions.:confused: