In Administering Windows Server Hybrid Core Infrastructure, Microsoft states that the domain password policy for domain user accounts is determined by the GPO that wins at the domain root (commonly the Default Domain Policy). GPOs linked to OUs do not change the domain password policy for user accounts in those OUs; they only affect local accounts on computers within those OUs unless Fine-Grained Password Policies (PSOs) are used and scoped to users/groups. The case shows Default Domain Policy in contoso.com sets Minimum password length = 10. Therefore, both Admin1 (a domain user in Contoso\OU1) and User1 (in Contoso\OU3) fall under the 10-character minimum; the OU-linked GPO1 (14) does not override the domain password policy for their domain accounts → Admin1: No, User1: Yes.
For member servers and local accounts, the documentation explains that password policy settings in a GPO linked to the OU containing the computer apply to that computer’s local Security Accounts Manager (SAM). In the scenario, Server1 resides in Member Servers and GPO2 linked to Member Servers specifies Minimum password length = 8. Thus, when Admin1 creates a local account on Server1, the enforced minimum is 8 characters → Yes. This approach follows least privilege and standard precedence: domain-level for domain accounts, OU-linked GPOs for local accounts, unless PSOs are explicitly defined.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit