With the new fine-grained password policies feature in Windows Server 2008, we can finally create multiple password policies and account lockout policies for users in the same domain. The fact that the fine-grained password policies feature in Windows Server 2008 maps password policies to users and\/or groups means that we have virtually unlimited flexibility when it comes to password policy and account lockout policy requirements. This also eliminates the need to buy 3rd party software such as specops to accomplish this need.<\/p>\n
This\u00a0new fine-grained password policy feature in the Windows Server 2008 operating system provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. You can use fine-grained password policies to specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply more stringent settings to\u00a0trusted accounts and less strict settings to the accounts of end users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources. Such as users of Groupwise that you want to have a longer password age.<\/p>\n
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group.<\/p>\n
Note: <\/strong>As per Microsoft, \u201ca shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.\u201d <\/em><\/strong><\/p>\n The concept of a shadow group has already introduced some confusion. It is important to understand that a shadow group is not a new type of group in AD DS. Also, AD DS does not have any means to handle group membership of a shadow group any differently than a regular AD DS group. Effectively, you must come up with a way to populate the membership of shadow groups. You can do this manually, or you can create a script and schedule it to run on an ongoing basis.<\/p>\n To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema:<\/p>\n <\/strong>A Password Settings Container (PSC) is created by default under the System container in the domain. You can view it by using the Active Directory Users and Computers snap-in with Advanced features enabled. It stores the Password Settings objects (PSOs) for that domain.<\/p><\/blockquote>\n <\/strong>A Password Settings Object (PSO) has attributes for all the settings that can be defined in the Default Domain Policy (except Kerberos settings). In addition, a PSO has the following two new attributes:<\/p>\n Keep in mind that fine-grained password policies are intended for cases where there are unique password and account lockout requirements. As such, only use fine-grained password policies when you have unique requirements and try to minimize the number of PSOs you create. If you have unique password and\/or account lockout requirements for a large number of users, consider deploying a dedicated domain for these users and using the domain policy to define the password and account lockout policies.<\/p>\n Example step-by-step guide to configuring fine-grained password policies in Windows Server 2008<\/strong><\/p>\n In the following steps, you will configure a fine-grained password policy in Windows Server 2008 that has the following settings:<\/p>\n <\/p>\n Note<\/strong>: domainname<\/em><\/strong> <\/em>in the following steps should be replaced with the NETBIOS name of your domain.<\/p>\n here is another example:<\/p>\n\n
\n
\n
\n
<\/h1>\n
\n\n
\n Option <\/strong><\/strong><\/td>\n Setting <\/strong><\/strong><\/td>\n<\/tr>\n \n Enforce password history <\/strong><\/strong><\/td>\n 24 passwords remembered<\/td>\n<\/tr>\n \n Maximum password age <\/strong><\/strong><\/td>\n 30 days<\/td>\n<\/tr>\n \n Minimum password age <\/strong><\/strong><\/td>\n 1 day<\/td>\n<\/tr>\n \n Minimum password length <\/strong><\/strong><\/td>\n 12 characters<\/td>\n<\/tr>\n \n Passwords must meet complexity requirements<\/strong><\/td>\n Disabled<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n\n
\n Option <\/strong><\/strong><\/td>\n Setting <\/strong><\/strong><\/td>\n<\/tr>\n \n Account lockout duration <\/strong><\/strong><\/td>\n 0<\/td>\n<\/tr>\n \n Account lockout threshold <\/strong><\/strong><\/td>\n 3<\/td>\n<\/tr>\n \n Reset account lockout counter after <\/strong><\/strong><\/td>\n 30 minutes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n