Im trying to keep my Default Domain Policy clean and standard and I want to make a GPO for my password policies.
I made it but it still gets the policies from the Default Domain Policy object.
I imagine that it gets that one because it is the most restrictive one but I would enjoy one that I can make a copy of the Default Domain Policy, edit that one, and then apply first that and if something isnt applied/changed/etc, apply the default in the Default Domain Policy.
Is it possible?
Best Answer
Your password policy can be in a group policy you create. There is nothing special about the 'default domain policy' that is created for you.
The Policy you should be applied at the root for the best results. By being linked there directly or inherited from the root, and not be blocked. Password policies are a computer policy and are enforced by the computer with the password database. In the case of your active directory this is your Domain Controllers.
It is likely that you already have password policy settings in existing policies (they are in a default install) So it will be important to make sure the Link order of this new policy is any other policy, though you probably should remove the password settings from any other policies to prevent confusion.
If you look at the Group Policy results for one of your domain controllers you should see what policy and settings are being applied and from what Policy Object if you run into problems.
Separate password policy
Policy Link order
Policy Results.