Setup password policies on an OU


You would like to set up a password expiration policy, and 2-Step Verification to only one Organizational Unit (OU) in the account, and not apply the same settings to the other OU's or on the top-level OU.


  • Admin console > Authentication


Enforce Password Expiration Policy
  1. In the Admin console.
  2. Navigate to Security > Authentication > Password Management.
    • If the password expiration policy is turned on in the top-most level OU, kindly set the Expiration to Never expires.
  3. Select the sub-OU where you want to implement this setting only.
  4. Change the Expiration setting to the amount of days that you would want this to take effect (for example 90 days).
  5. Click Save, or Override.
2-Step Verification for one OU
  1. In the Admin console, you went to Security > Authentication > 2-Step Verification.
  2. You had 2-Step Verification turned on in the top-most level OU, so what you first did is to turn off Allow users to turn on 2-Step Verification for the top-most level OU.
    • If you are getting an error where you are not permitted to turn off 2-Step Verification, kindly check if 2-Step Verification is enabled for your account, and then turn it off.
  3. In the top-most level OU, kindly select the sub-OU that you want to turn the option to Allow users to turn on 2-Step Verification on
  4. Cick Save, or Override.


You set up the password expiration policy and 2-Step Verification on the top most level OU, which the other sub-OUs inherited; this is not the setting that you want, as you only wanted to have these policies apply to one of the sub-OUs, and not the top-level OU.