Implementing Multiple Password Policies per Domain
Another Windows Server 2008
addition to AD DS is the ability to implement granular password policies
across a single domain. Previously, this was only an option with
third-party password change utilities installed on the domain
controllers in a forest. With Windows Server 2008 or Windows Server 2008
R2, administrators can define which users have more complex password
policies, and which will be able to use more lenient policies.
There are a few key points to
this technology that must be understood before implementing it. These
points are listed as follows:
Domain mode must be set
to Windows Server 2008 or Windows Server 2008 R2 level, which means that
all DCs in the domain must be running Windows Server 2008 R2 or RTM.
Fine-grained password policies always win over a domain password policy.
Password policies can be applied to groups, but they must be global security groups.
Fine-grained password policies applied to a user always win over settings applied to a group.
The
Password Settings Objects (PSOs) are stored in the Password Settings
Container in AD (that is, CN=Password Settings
Container,CN=System,DC=companyabc,DC=com).
Only
one set of password policies can apply to a user. If multiple password
policies are applied, the policy with the lower number precedence wins.
To create a custom
password policy for a specific user, a Password Settings Object (PSO)
must be created using the ADSIEdit tool, which is used for low-level
changes to AD DS or AD LDS directory objects and attributes.
Caution
ADSIEdit is a very
powerful, low-level directory editor, and great care should be taken
when using it. Be extremely cautious using the editor, especially when
deleting objects, as ADSIEdit could easily delete entire portions of an
AD tree with a single keystroke if care is not taken.
The version of ADSIEdit
included with Windows Server 2008 RTM/R2 provides for a crude wizard
that allows for PSOs to be created. The wizard automates the creation of
a PSO, and allows for specific attributes to be set on the PSO that are
related to password policies. Table 4.1
displays the attributes that are prompted for creation by the wizard.
All attributes in this table must be entered in the proper format for a
PSO to be created. Note that only the final attribute in this list
msDS-PSOAppliesTo is not prompted by the wizard, and must be entered in
manually.
Table 1. PSO Attributes
| Attribute | Description | Sample Value |
|---|
| Cn | The unique name of the password policy. | PasswordPolicyforAdmins |
| msDS-PasswordSettingsPrecedence | The priority of the policy. Lower number “wins.” Leave space on both sides of the number to reprioritize if necessary. | 20 |
| msDS-PasswordReversibleEncryptionEnabled | The policy used for specific circumstances where a user’s password needs to be able to be decrypted. Normally set to False. | FALSE |
| msDS-PasswordHistoryLength | The number of passwords “remembered” by the system. | 10 |
| msDS-PasswordComplexityEnabled | The
policy that sets whether or not password complexity is enabled.
Password complexity enforces whether users should be forced to include a
combination of numbers, uppercase letters, lowercase letters, and
special characters as part of their password. Enabling complexity forces
them to include at least three of the four types in their passwords. | TRUE |
| msDS-MinimumPasswordLength | The policy setting that enforces the minimum password character length. | 8 |
| msDS-MinimumPasswordAge | The
minimum number of days that must be waited before resetting the
password to something different. This disallows users from simply
“cycling through” password changes to keep the same password. Expressed
in a format of Days:Hours:Minutes:Seconds. For example, 3:00:00:00
equals 3 days. | 3:00:00:00 |
| msDS-MaximumPasswordAge | The maximum number of days that a password is valid for. Expressed in a format of Days:Hours:Minutes:Seconds. | 60:00:00:00 |
| msDS-LockoutThreshold | The number of invalid password attempts that can be made before locking out the account. | 5 |
| msDS-LockoutObservationWindow | The
length of time (expressed in Days:Hours:Minutes:Seconds format) before
the invalid password attempt counter is reset. Cannot exceed the
msDS-LockoutDuration value. | 0:00:10:00 |
| msDS-LockoutDuration | The length of time (expressed in Days:Hours:Minutes:Seconds format) an account remains locked out. | 0:00:15:00 |
| msDS-PSOAppliesTo | The
user or group of users to which the PSO applies. Note that this field
is not displayed as part of the default wizard; you must click the More
Attributes button at the end of the wizard and enter the distinguished
name (DN) of the group or user object. Enter the group using its full
DN. Read the previous sections of this chapter for more information on
how to format a DN. In this example, the policy will apply to the Global
Security named Admins in the Resources—Admins OU in companyabc.com. | CN=Admins, OU=Admins, OU=Resources, DC=companyabc, DC=com |
To create a new PSO, open
ADSIEdit from the Administrative Tools menu and point it to the fully
qualified domain name (FQDN) of the domain where the PSO will be
created. After ADSIEdit has been invoked, perform the following steps to
create a PSO:
1. | Under the container for the domain, navigate to CN=System, CN=Password Settings Container.
|
2. | Right-click on the CN=Password Settings Container, and choose New, Object.
|
3. | Select msDS-PasswordSettings, and click Next to continue.
|
4. | From the Create Object dialog box, shown in Figure 4, enter in the attributes, using Table 1 as a guide.
|
5. | When on the final screen of the wizard, click the More Attributes button.
|
6. | Click the Select a Property to View drop-down list arrow, and then select msDS-PSOAppliesTo.
|
7. | In
the Edit Attribute field, enter the DN of the group or user to which
the PSO will apply. Be sure to click the Add button, or the setting will
not be applied. The value should be displayed, similar to what is shown
in Figure 5.
|
8. | Click OK and then click Finish.
|
After creation, the PSO policy will appear in the details pane, as shown in Figure 6. Any of the attributes listed in Table 1
can be subsequently modified using ADSIEdit by right-clicking the
individual PSO and choosing Properties. This includes changing the scope
of which users the policy applies to.
