programming4us
programming4us
DESKTOP

Outlining AD DS Changes in Windows Server 2008 R2 (part 2) - Implementing Multiple Password Policies per Domain

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
1/20/2011 3:12:29 PM

Implementing Multiple Password Policies per Domain

Another Windows Server 2008 addition to AD DS is the ability to implement granular password policies across a single domain. Previously, this was only an option with third-party password change utilities installed on the domain controllers in a forest. With Windows Server 2008 or Windows Server 2008 R2, administrators can define which users have more complex password policies, and which will be able to use more lenient policies.

There are a few key points to this technology that must be understood before implementing it. These points are listed as follows:

  • Domain mode must be set to Windows Server 2008 or Windows Server 2008 R2 level, which means that all DCs in the domain must be running Windows Server 2008 R2 or RTM.

  • Fine-grained password policies always win over a domain password policy.

  • Password policies can be applied to groups, but they must be global security groups.

  • Fine-grained password policies applied to a user always win over settings applied to a group.

  • The Password Settings Objects (PSOs) are stored in the Password Settings Container in AD (that is, CN=Password Settings Container,CN=System,DC=companyabc,DC=com).

  • Only one set of password policies can apply to a user. If multiple password policies are applied, the policy with the lower number precedence wins.

To create a custom password policy for a specific user, a Password Settings Object (PSO) must be created using the ADSIEdit tool, which is used for low-level changes to AD DS or AD LDS directory objects and attributes.

Caution

ADSIEdit is a very powerful, low-level directory editor, and great care should be taken when using it. Be extremely cautious using the editor, especially when deleting objects, as ADSIEdit could easily delete entire portions of an AD tree with a single keystroke if care is not taken.


The version of ADSIEdit included with Windows Server 2008 RTM/R2 provides for a crude wizard that allows for PSOs to be created. The wizard automates the creation of a PSO, and allows for specific attributes to be set on the PSO that are related to password policies. Table 4.1 displays the attributes that are prompted for creation by the wizard. All attributes in this table must be entered in the proper format for a PSO to be created. Note that only the final attribute in this list msDS-PSOAppliesTo is not prompted by the wizard, and must be entered in manually.

Table 1. PSO Attributes
AttributeDescriptionSample Value
CnThe unique name of the password policy.PasswordPolicyforAdmins
msDS-PasswordSettingsPrecedenceThe priority of the policy. Lower number “wins.” Leave space on both sides of the number to reprioritize if necessary.20
msDS-PasswordReversibleEncryptionEnabledThe policy used for specific circumstances where a user’s password needs to be able to be decrypted. Normally set to False.FALSE
msDS-PasswordHistoryLengthThe number of passwords “remembered” by the system.10
msDS-PasswordComplexityEnabledThe policy that sets whether or not password complexity is enabled. Password complexity enforces whether users should be forced to include a combination of numbers, uppercase letters, lowercase letters, and special characters as part of their password. Enabling complexity forces them to include at least three of the four types in their passwords.TRUE
msDS-MinimumPasswordLengthThe policy setting that enforces the minimum password character length.8
msDS-MinimumPasswordAgeThe minimum number of days that must be waited before resetting the password to something different. This disallows users from simply “cycling through” password changes to keep the same password. Expressed in a format of Days:Hours:Minutes:Seconds. For example, 3:00:00:00 equals 3 days.3:00:00:00
msDS-MaximumPasswordAgeThe maximum number of days that a password is valid for. Expressed in a format of Days:Hours:Minutes:Seconds.60:00:00:00
msDS-LockoutThresholdThe number of invalid password attempts that can be made before locking out the account.5
msDS-LockoutObservationWindowThe length of time (expressed in Days:Hours:Minutes:Seconds format) before the invalid password attempt counter is reset. Cannot exceed the msDS-LockoutDuration value.0:00:10:00
msDS-LockoutDurationThe length of time (expressed in Days:Hours:Minutes:Seconds format) an account remains locked out.0:00:15:00
msDS-PSOAppliesToThe user or group of users to which the PSO applies. Note that this field is not displayed as part of the default wizard; you must click the More Attributes button at the end of the wizard and enter the distinguished name (DN) of the group or user object. Enter the group using its full DN. Read the previous sections of this chapter for more information on how to format a DN. In this example, the policy will apply to the Global Security named Admins in the Resources—Admins OU in companyabc.com.CN=Admins, OU=Admins, OU=Resources, DC=companyabc, DC=com

To create a new PSO, open ADSIEdit from the Administrative Tools menu and point it to the fully qualified domain name (FQDN) of the domain where the PSO will be created. After ADSIEdit has been invoked, perform the following steps to create a PSO:

1.
Under the container for the domain, navigate to CN=System, CN=Password Settings Container.

2.
Right-click on the CN=Password Settings Container, and choose New, Object.

3.
Select msDS-PasswordSettings, and click Next to continue.

4.
From the Create Object dialog box, shown in Figure 4, enter in the attributes, using Table 1 as a guide.

Figure 4. Creating a PSO.


5.
When on the final screen of the wizard, click the More Attributes button.

6.
Click the Select a Property to View drop-down list arrow, and then select msDS-PSOAppliesTo.

7.
In the Edit Attribute field, enter the DN of the group or user to which the PSO will apply. Be sure to click the Add button, or the setting will not be applied. The value should be displayed, similar to what is shown in Figure 5.

Figure 5. Applying a PSO to a group.


8.
Click OK and then click Finish.

After creation, the PSO policy will appear in the details pane, as shown in Figure 6. Any of the attributes listed in Table 1 can be subsequently modified using ADSIEdit by right-clicking the individual PSO and choosing Properties. This includes changing the scope of which users the policy applies to.

Figure 6. Viewing the PSO object.
Other  
  •  Personalizing Windows 7 (part 2) - Choosing Your Desktop Background
  •  Personalizing Windows 7 (part 1) - Fine-Tuning Your Window Colors and Experience Level
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining the Role of DNS in AD DS
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Explaining AD DS Replication
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining the Role of Groups in an AD DS Environment
  •  Understanding Windows 7 Personalization
  •  Windows 7 : Understanding User Account Control and Its Impact on Performance
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Understanding Domain Trusts
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Outlining AD DS’s Components
  •  Windows Server 2008 R2 Active Directory Domain Services Primer : Examining AD DS’s Structure
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us