WIXLIB

21/05/2013Creating Fine‐Grained PasswordPolicies Prior to Windows Server 2008, if you neededmore than one password policy for yourorganization, you had to create a separatedomain. Today, you have fine‐grained password policies.You can now assign specific password policies toindividual users or groups to enforce any of theregular password policies including the following:––––––Enforce password historyMaximum password ageMinimum password ageMinimum password lengthPasswords must meet complexity requirementsStore passwords using reversible encryption1

21/05/2013 If you have a single user who needs a specialpassword policy, you can create a policy justfor this user object. However, it’s much more common to applythese policies to groups than to users. Password policies are implemented by thefollowing: Creating a password settings object (PSO) andstoring it in a password settings container(PSC) Applying the PSO to a user or global securitygroupRequirements for Fine‐GrainedPassword Policies Before you can implement fine‐grained passwordpolicies, you need to ensure your environmentmeets the minimum requirements: The domain functional level must be at leastWindows Server 2008. If domain controllers have been upgraded froman earlier version of Windows, you must runadprep prior to upgrading to Windows Server2008. Only members of the Domain Admins group cancreate PSOs.2

21/05/2013Creating a Password Settings Object You can create a PSO by using ADSI Edit. Onceyou create the PSO, you’ll manipulate thedifferent settings of the PSO.PSO settings Some of the different PSO settings are as follows: msDS‐PSOAppliesTo This value identifies to which objects that thePSO will apply. msDS‐MinimumPasswordLength This is the minimum passwordlength for user accounts that use this PSO. Any number between 0through 255 is valid. msDS‐MinimumPasswordAge This is the minimum password agefor user accounts. It identifies the soonest the password can bemodified. Any number from 00:00:00:00 through the value ofmsDS‐MaximumPasswordAge value can be used. msDS‐MaximumPasswordAge This is the maximum password agefor user accounts that identifies when the password must bechanged. Any value between the msDS‐MinimumPasswordAgevalue through Never is acceptable.PSO settings msDS‐PasswordHistoryLength This is the password historylength for user accounts that identifies how many pastpasswords are remembered, msDS‐PasswordComplexityEnabled This is the passwordcomplexity status for user accounts that ensures passwordsmeet minimum complexity requirements. msDS‐PasswordSettingsPrecedence The password settingsprecedence identifies which PSO will take precedence, ifmultiple PSO objects apply to a user. A lower value willhave a higher precedence. msDS‐PasswordReversibleEncryptionEnabled Thepassword reversible encryption status for user accountsspecifies if reversible encryption is enabled or not.3

21/05/2013PSO settings msDS‐LockoutThreshold This is the lockout thresholdfor lockout of user accounts. Identifies how many badpassword attempts will be accepted before the accountis locked out. msDS‐LockoutObservationWindow The observationwindow for lockout of user accounts identifies howlong the invalid logon attempts are tracked msDS‐LockoutDuration This is the lockout duration forlocked‐out user accounts. This identifies how long theuser is locked out if the lockout threshold is exceeded.LAB : CREATING A PSO You can create and apply a PSO to a newglobal group called G ITAdmins with thefollowing steps4

21/05/2013 Launch ADUC, and create a global groupnamed G ITAdmins in the Users container. Launch ADSI Edit by clicking Start, typing ADSI,and pressing Return This can also be opened from theadministrative tools menu Right‐click ADSI Edit, and select Connect To.5

21/05/2013 Type in the fully qualified domain name ofyour domain in the Name text box, Click OK. Expand the ADSI Edit console until you reachthe CN Password Settings Container withinthe CN System node, Right‐click CN Password Settings Container,and select New ‐ Object.6

21/05/2013 The msDS‐PasswordSettings class is selectedas the only object. Click Next. Enter the name ITAdminsPSO in the Value textbox to name your PSO. Click Next. For the msDS‐PasswordSettingsPrecedencesetting, enter 10. Click Next.This settings identifies which PSOwill take precedence, if multiplePSO objects apply to a user.A lower value will have a higherprecedence.7

21/05/2013 For the msDS‐PasswordReversibleEncryptionEnabled setting,enter False. Click Next. For the msDS‐PasswordHistoryLength setting,enter 24. Click Next. For the msDS‐PasswordComplexityEnabledsetting, enter True. Click Next.8

21/05/2013 For the msDS‐MinimumPasswordLengthsetting, enter 15. Click Next. For the msDS‐MinimumPasswordAge setting,enter 1:00:00:00 to set the value to one day.Click Next. For the msDS‐MaximumPasswordAge setting,enter 30:00:00:00 to set the value to 30 days.Click Next.9

21/05/2013 For the msDS‐LockoutThreshold setting, enter5. Click Next. For the msDS‐LockoutObservationWindow,enter 0:00:30:00 to set the value to 30minutes. Click Next. For the msDS‐LockoutDuration setting, enter0:00:30:00 to set the value to 30 minutes.Click Next.10

21/05/2013 Instead of clicking Finish, click the MoreAttributes button. Select the msDS‐PSOAppliesTo property inthe “Select a property toview” drop‐down box. Enter thedistinguished nameof the G ITAdminsgroup you createdearlier, click Add.11

21/05/2013 Click OK. Click Finish. If there are any errors a message box willdisplay illustrating them This can be tricky to get working – sometimesit wont accept groups in OU’s if this happenscreate the group in the general Userscontainer and reference it accordingly CN groupname,CN users,DC tombrett,DC local12

21/05/2013 If you ever want to view or modify yoursettings, you can return to the CN PasswordSettings Container in ADSI Edit and double‐click the PSO to view the properties. Some settings can be modified, but othersettings can be viewed only; when you selectthe setting, the button on the page willchange to either Edit or View depending onwhether it can be modified. Once the PSO exists, it’s also possible to applythe PSO to other users or groups using ActiveDirectory Users and Computers.13

21/05/2013 First ensure that advanced features areenabled by selecting View and that AdvancedFeatures is selected. If it’s not selected, selectit. Second, browseto the System ‐PasswordSettingscontainer inActive DirectoryUsers and Computers. Right‐click the PSO, and selectProperties.14

21/05/2013 Click the Attribute Editor, Notice that you can modify many of theproperties here, but what we’re mostconcerned with now is the msDS‐PSOAppliesTo property. If you select it and click Edit, you can addusers or groups.15

Creating Fine‐Grained Password Policies Prior to Windows Server 2008, if you needed more than one password policy for your organization, you had to create a separate .