Since the release of Windows NT 3.1, Microsoft's first Network Operating System, password policies were limited to the domain level. This held true for Windows 2000 Server and Windows Server 2003 versions of Active Directory. However, Microsoft has introduced the ability to define multiple password and account lockout policies in Windows Server 2008.
This article takes a deeper look at the new Active Directory Domain Services fine-grained password and account lockout policies in Windows Server 2008.
Password Settings Container and Password Settings Objects
Active Directory Domain Services in Windows Server 2008 includes two new object classes for fine-grained password and account lockout policies: Password Settings Container and Password Settings objects. Fine-grained password and account lockout policies require a domain functional level of Windows Server 2008, so these two objects will not be used for domains with a lower domain functional level.
The Password Settings Container (PSC) is created in the System container in each domain that has a domain functional level of Windows Server 2008. Password Settings Containers are used to store Password Settings objects for the domain. Once created by the system, the Password Settings Container cannot be moved, deleted, or renamed. You can view the Password Settings Container by enabling the Advanced View in the Active Directory Users and Computers Container, ADSI Edit, and LDP.exe.
Password Settings objects (PSOs) are the objects that you create to define fine-grained password and account lockout policies. Password Settings objects are stored in the Password Settings Container for the domain. Multiple Password Settings objects can be stored. Password Settings objects can be created by using ADSI Edit and LDIFDE.
Password Settings Object Attributes
Password Settings objects include the nine attributes for the same Password Policy and Account Lockout settings as the Default Domain Policy. These nine attributes are mandatory and must be defined on every Password Settings object. These attributes are shown in the table below.
LDAP Display Name | Description |
msDS-PasswordHistoryLength | Enforce password history |
msDS-MaximumPasswordAge | Maximum password age |
msDS-MinimumPasswordAge | Maximum password age |
msDS-MinimumPasswordLength | Minimum password length |
msDS-Password-ComplexityEnabled | Passwords must meet complexity requirements |
msDS-PasswordReversibleEncryptionEnabled | Store passwords using reversible encryption |
msDS-LockoutDuration | Account lockout duration |
msDS-LockoutThreshold | Account lockout threshold |
msDS-LockoutObservationWindow | Reset account lockout after |
Microsoft did not include the ability to create fine-grained password and account lockout policies in the Active Directory Users and Computers console in Windows Server 2008. As a result, the graphical interface to create Password Settings objects is the ADSI Edit console. The ADSI Edit console allows you to create Password Settings objects, and enter values for the attributes that are contained in Password Settings objects, in raw format. To set a Maximum Password Age of 42 days on a Password Settings object, you would enter a value of 42:00:00:00.
Controlling the Scope of Password and Account Lockout Policies
In addition to the above nine attributes, Password Settings objects also include two new attributes which are used to control the scope. These two attributes are shown in the table below:
LDAP Display Name | Description |
msDS-PSOAppliesTo | PSO link |
msDS-PasswordSettingsPrecedence | Precedence |
The msDS-PSOAppliesTo attribute is used to link Password Settings objects to users and/or global groups. The msDS-PSOAppliesTo attribute is a multivalued attribute, which allows Password Settings objects to be linked to multiple users and/or global groups. The msDS-PSOAppliesTo includes a forward link to user or group objects. The msDS-PasswordSettingsPrecedence attribute is a mandatory attribute which is used to resolve conflicts when more than one Password Settings object is applied to a user or group.
Source: http://www.enterpriseitplanet.com/networking/features/article.php/3800436
No comments:
Post a Comment