You would like to set up a password expiration policy, and 2-Step Verification to only one Organizational Unit (OU) in the account, and not apply the same settings to the other OU's or on the top-level OU.
- Admin console > Authentication
Enforce Password Expiration Policy
2-Step Verification for one OU
- In the Admin console.
- Navigate to Security > Authentication > Password Management.
- If the password expiration policy is turned on in the top-most level OU, kindly set the Expiration to Never expires.
- Select the sub-OU where you want to implement this setting only.
- Change the Expiration setting to the amount of days that you would want this to take effect (for example 90 days).
- Click Save, or Override.
- In the Admin console, you went to Security > Authentication > 2-Step Verification.
- You had 2-Step Verification turned on in the top-most level OU, so what you first did is to turn off Allow users to turn on 2-Step Verification for the top-most level OU.
- If you are getting an error where you are not permitted to turn off 2-Step Verification, kindly check if 2-Step Verification is enabled for your account, and then turn it off.
- In the top-most level OU, kindly select the sub-OU that you want to turn the option to Allow users to turn on 2-Step Verification on
- Cick Save, or Override.
You set up the password expiration policy and 2-Step Verification on the top most level OU, which the other sub-OUs inherited; this is not the setting that you want, as you only wanted to have these policies apply to one of the sub-OUs, and not the top-level OU.