Home » Microsoft » 70-640 » What should you do?
A corporate network includes a single Active Directory Domain Services (AD DS) domain.
The HR department has a dedicated organizational unit (OU) named HR. The HR OU has two sub-OUs: HR Users and HR Computers.
User accounts for the HR department reside in the HR Users OU.
Computer accounts for the HR department reside in the HR Computers OU.
All HR department employees belong to a security group named HR Employees.
All HR department computers belong to a security group named HR PCs.
Company policy requires that passwords are a minimum of 6 characters.
You need to ensure that, the next time HR department employees change their passwords, the passwords are required to have at least 8 characters.
The password length requirement should not change for employees of any other department.
What should you do?
A. Modify the password policy in the GPO that is applied to the domain.
B. Create a new GPO, with the necessary password policy, and link it to the HR Users OU.
C. Create a fine-grained password policy and apply it to the security group named HR Employees.
D. Modify the password policy in the GPO that is applied to the domain controllers OU.
Correct Answer: C
Explanation/Reference:
Thanks to Camel73 for confirming there was an error in answer C. That’s fixed now.
Reference:
http://technet.microsoft.com/en-us/library/cc770394.aspx
What do fine-grained password policies do?
You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain.
For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.
Are there any special considerations?
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. By default, only members of the Domain Admins group can set fine-grained password policies. However, you can also delegate the ability to set these policies to other users. The domain functional level must be Windows Server 2008.
Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine- grained password policy to users of an OU, you can use a shadow group.