With the new fine-grained password policies feature in Windows Server 2008, we can finally create multiple password policies and account lockout policies for users in the same domain. The fact that the fine-grained password policies feature in Windows Server 2008 maps password policies to users and/or groups means that we have virtually unlimited flexibility when it comes to password policy and account lockout policy requirements. This also eliminates the need to buy 3rd party software such as specops to accomplish this need.
This new fine-grained password policy feature in the Windows Server 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply more stringent settings to trusted accounts and less strict settings to the accounts of end users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources. Such as users of Groupwise that you want to have a longer password age.
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group.
Note: As per Microsoft, “a shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.”
The concept of a shadow group has already introduced some confusion. It is important to understand that a shadow group is not a new type of group in AD DS. Also, AD DS does not have any means to handle group membership of a shadow group any differently than a regular AD DS group. Effectively, you must come up with a way to populate the membership of shadow groups. You can do this manually, or you can create a script and schedule it to run on an ongoing basis.
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema:
-
Password Settings Container
A Password Settings Container (PSC) is created by default under the System container in the domain. You can view it by using the Active Directory Users and Computers snap-in with Advanced features enabled. It stores the Password Settings objects (PSOs) for that domain.
-
Password Settings Object
A Password Settings Object (PSO) has attributes for all the settings that can be defined in the Default Domain Policy (except Kerberos settings). In addition, a PSO has the following two new attributes:
PSO link – This is a multivalued attribute that is linked to users and/or group objects.
Precedence – This is an integer value that is used to resolve conflicts if multiple PSOs are applied to a user or group object.
Keep in mind that fine-grained password policies are intended for cases where there are unique password and account lockout requirements. As such, only use fine-grained password policies when you have unique requirements and try to minimize the number of PSOs you create. If you have unique password and/or account lockout requirements for a large number of users, consider deploying a dedicated domain for these users and using the domain policy to define the password and account lockout policies.
Example step-by-step guide to configuring fine-grained password policies in Windows Server 2008
In the following steps, you will configure a fine-grained password policy in Windows Server 2008 that has the following settings:
Option | Setting |
Enforce password history | 24 passwords remembered |
Maximum password age | 30 days |
Minimum password age | 1 day |
Minimum password length | 12 characters |
Passwords must meet complexity requirements | Disabled |
Option | Setting |
Account lockout duration | 0 |
Account lockout threshold | 3 |
Reset account lockout counter after | 30 minutes |
Note: domainname in the following steps should be replaced with the NETBIOS name of your domain.
-
Logon to a Windows Server 2008 domain controller using an account that has membership in the Domain Admins group, or equivalent permissions.
-
Go to Start, Administrative Tools, and then select Active Directory Users and Computers
-
Expand domainname.com, right-click on the Users container, select New, and then select Group.
-
On the New Object – Group window, enter DBAs into the Group Name field, and then click OK
-
Close Active Directory Users and Computers
-
Click Start, click RUN, type ADSIEDIT.MSC, and then click OK
-
In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to
-
In the Name field, enter domainname.com, and then click OK
-
Double-click domainname.com in the console tree, double-click DC=domainname,DC=com, double-click CN=System, and then click CN=Password Settings Container
-
Right-click CN=Password Settings Container in the console tree, click New, and then click Object
-
In the Create Object dialog box, under Select a class, click msDC-PasswordSettings, and then click Next.
-
In the Create Object dialog box, enter DBAs in the Value field, and then click Next.
-
For the msDS-PasswordSettingsPrecedence value, enter 1, and then click Next
-
For the msDS-PasswordReversibleEncryptionEnabled value, enter FALSE, and then click Next
-
For the msDS-PasswordHistoryLength value, enter 24, and then click Next
-
For the msDS-PasswordComplexityEnabled value, enter FALSE, and then click Next
-
For the msDS-MinimumPasswordLength value, enter 12, and then click Next
-
For the msDS-MinimumPasswordAgevalue, enter 1:00:00:00, and then click Next
-
For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next
-
For the msDS-LockoutThreshold, enter 3, and then click Next
-
For the msDS-LockoutObservationWindow, enter 0:00:30:00, and then click Next
-
For the msDS-LockoutDuration, enter (never), and then click Next
-
Right-click on CN=DBAs in the console tree, and then select Properties
-
On the CN=DBAs Properties window, select the msDS-PSOAppliesTo attribute, and then click the Edit button
-
On the Multi-valued Distinguished Name With Security Principal Editor window, click on the Add Windows Account button
-
On the Select Users, Computers, or Groups window, enter DBAs in the Enter the object names to select field, and then click OK
-
Click OK on the Multi-valued Distinguished Name With Security Principal Editor window
-
Click OK on the CN=DBAs Properties window
here is another example:
http://blog.thesysadmins.co.uk/active-directory-fine-grained-passwords-with-adsi-edit.html
and another post regarding this
http://social.technet.microsoft.com/wiki/contents/articles/4627.aspx