Forum
http://technet.microsoft.com/en-us/library/cc770842.aspx
This step-by-step guide provides instructions for configuring and
applying fine-grained password and account lockout policies for
different sets of users in Windows Server® 2008 domains.
In
Microsoft® Windows® 2000 and Windows Server 2003 Active Directory
domains, you could apply only one password and account lockout policy,
which is specified in the domain's Default Domain Policy,
to all users in the domain. As a result, if you wanted different
password and account lockout settings for different sets of users, you
had to either create a password filter or deploy multiple domains. Both
options were costly for different reasons.
In Windows
Server 2008, you can use fine-grained password policies to specify
multiple password policies and apply different password restrictions
and account lockout policies to different sets of users within a single
domain. For example, to increase the security of privileged accounts,
you can apply stricter settings to the privileged accounts and then
apply less strict settings to the accounts of other users. Or in some
cases, you may want to apply a special password policy for accounts
whose passwords are synchronized with other data sources.
To
store fine-grained password policies, Windows Server 2008 includes two
new object classes in the Active Directory Domain Services (AD DS)
schema:
- Password Settings Container
- Password Settings
The Password Settings Container
(PSC) object class is created by default under the System container in
the domain. It stores the Password Settings objects (PSOs) for that
domain. You cannot rename, move, or delete this container.
For more information, see Appendix A: Fine-Grained Password and Account Lockout Policy Review.
Who should use this guide?
This guide is intended for the following audiences:
- Information technology (IT) planners and analysts who are evaluating the product from a technical perspective
- Enterprise IT planners and designers for organizations
- Administrator or managers who are responsible for IT security
Scenario overview
Define your organizational structure
Before
you configure fine-grained password and account lockout policies,
define your organizational structure by creating necessary groups and
adding or moving users to or between the groups. It is important to
consider the unique nature of your organization when you plan for the
most efficient use of the fine-grained password and account lockout
policies feature. How many different password policies do you need? A
typical scenario might include 3 to 10 PSOs and the following password
policies:
- An Administrator password policy with a strict setting (passwords expire, for example, every 14 days)
- An average user password policy with a setting that is not strict (passwords expire, for example, every 90 days)
- A service account password policy targeted at service accounts (minimum password length, for example, 32 characters)
Taking
advantage of your existing group structure is equally important. What
are its characteristics? Do you have existing Administrators or Users
groups? The goal is to shape your group structure so that it maps
directly to the desired application of the newly defined fine-grained
password and account lockout policies.
PSOs cannot be applied to
organizational units (OUs) directly. If your users are organized into
OUs, consider creating "shadow groups" for these OUs and then applying
the newly defined fine-grained password and account lockout policies to
them. A shadow group is a global security group that is logically
mapped to an OU to enforce a fine-grained password and account lockout
policy. Add OU users as members to the newly created shadow group, and
then apply the fine-grained password and account lockout policy to this
shadow group. If you move a user from one OU to another, you must
update user memberships in the corresponding shadow groups.
Applying PSOs directly to global security groups, as opposed to directly to OUs, provides the following benefits:
- Groups offer better flexibility for managing various sets of users than OUs.
-
Most Active Directory deployments use a systematic group structure to
organize their users. Also, by default AD DS in Windows Server 2008
creates various groups for administrative accounts: Domain Admins,
Enterprise Admins, Schema Admins, Server Operators, Backup Operators,
and others. -
Group structure offers easier deployment of fine-grained password
policies, and you do not have to restructure your organizations’
directories by creating OUs. Modifying an OU hierarchy requires
detailed planning, and it increases the risk of introducing unforced
errors because it has a significant effect on Group Policy application
and access control list (ACL) inheritance.
Requirements and special considerations for fine-grained password and account lockout policies
- Domain functional level:
Important For the fine-grained password and account lockout policies to function
properly in a given domain, the domain functional level of that domain
must be set to Windows Server 2008. - Permissions:
By default, only members of the Domain Admins group can create PSOs.
Only members of this group have the Create Child and Delete Child
permissions on the Password Settings Container object. In addition,
only members of the Domain Admins group have Write Property permissions
on the PSO by default. Therefore, only members of the Domain Admins
group can apply a PSO to a group or user. You do not have to have
permissions on the user object or group object to be able to apply a
PSO to it. To apply a PSO to the user object or group object, you must
have Write permissions on the PSO object. - Permissions delegation:
You can delegate Read Property permissions on the default security
descriptor of the PSO object in the schema to any other group (such as
Help desk personnel or a management application) in the domain or
forest. This can also prevent a user from seeing his or her password
settings in the directory. The user can read the msDS-ResultantPSO or the msDS-PSOApplied
attributes, but these attributes display only the distinguished name of
the PSO that applies to the user. The user cannot see the settings
within that PSO. For more information, see Appendix C: Group-Based Management of Fine-Grained Password and Account Lockout Policies. - Applying fine-grained password policies:
Fine-grained password policies apply only to user objects (or
inetOrgPerson objects if they are used instead of user objects) and
global security groups. They cannot be applied to Computer objects. - Password filters:
Fine-grained password policies do not interfere with custom password
filters that you might use in the same domain. Organizations that have
deployed custom password filters to domain controllers running
Windows 2000 or Windows Server 2003 can continue to use those password
filters to enforce additional restrictions for passwords. - Custom PSCs:
In addition to the default PSC, administrators can create their own
custom PSCs under the System container. However, this action is not
recommended because the PSOs that are held in these custom PSCs are not
taken into consideration by the Resultant Set of Policy logic. - Exceptional PSOs:
If you want a certain group member to conform to a policy that is
different from the policy that is assigned to the entire group, you can
assign the exceptional PSO directly to that particular user. If you
apply a PSO directly to the user (that is, if you apply it to the group
that the user is a member of), it takes precedence over all implicit
PSOs that might be linked to it when msDS-ResultantPSO
for that user is being determined. However, if there are two or more
exceptional PSOs that are applied directly to the user object (this is
not recommended), the exceptional PSO with the smallest globally unique
identifier (GUID) takes precedence.
Steps to configure fine-grained password and account lockout policies
When
the group structure of your organization is defined and implemented,
you can configure and apply fine-grained password and account lockout
policies to users and global security groups. Configuring fine-grained
password and account lockout policies involves the following steps:
- Step 1: Create a PSO
- Step 2: Apply PSOs to Users and Global Security Groups
- Step 3: Manage a PSO
- Step 4: View a Resultant PSO for a User or a Global Security Group
Important |
---|
You can also manage fine-grained password and account lockout policies by creating corresponding global security groups for all existing PSOs and by assigning (delegating) appropriate permissions on these global security group objects to the selected users or groups from your organization, for example, support personnel. For more information, see Appendix C: Group-Based Management of Fine-Grained Password and Account Lockout Policies |
For more information, see
- Appendix A: Fine-Grained Password and Account Lockout Policy Review
- Appendix B: PSO Attribute Constraints
- Appendix C: Group-Based Management of Fine-Grained Password and Account Lockout Policies
Example step-by-step guide to configuring fine-grained password policies in Windows Server 2008
Johnpolicelli
In the following steps,
you will configure a fine-grained password policy in Windows Server
2008 that has the following settings:
Option | Setting |
Enforce password history | 24 passwords remembered |
Maximum password age | 30 days |
Minimum password age | 1 day |
Minimum password length | 12 characters |
Passwords must meet complexity requirements | Disabled |
Option | Setting |
Account lockout duration | 0 |
Account lockout threshold | 3 |
Reset account lockout counter after | 30 minutes |
Note: domainname in the following steps should be replaced with the NETBIOS name of your domain.
-
Logon
to a Windows Server 2008 domain controller using an account that has
membership in the Domain Admins group, or equivalent permissions. -
Go to Start, Administrative Tools, and then select Active Directory Users and Computers
-
Expand domainname.com, right-click on the Users container, select New, and then select Group.
-
On the New Object – Group window, enter DBAs into the Group Name field, and then click OK
-
Close Active Directory Users and Computers
-
Click Start, click RUN, type ADSIEDIT.MSC, and then click OK
-
In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to
-
In the Name field, enter domainname.com, and then click OK
-
Double-click domainname.com in the console tree, double-click DC=domainname,DC=com, double-click CN=System, and then click CN=Password Settings Container
-
Right-click CN=Password Settings Container in the console tree, click New, and then click Object
-
In the Create Object dialog box, under Select a class, click msDC-PasswordSettings, and then click Next.
-
In the Create Object dialog box, enter DBAs in the Value field, and then click Next.
-
For the msDS-PasswordSettingsPrecedence value, enter 1, and then click Next
-
For the msDS-PasswordReversibleEncryptionEnabled value, enter FALSE, and then click Next
-
For the msDS-PasswordHistoryLength value, enter 24, and then click Next
-
For the msDS-PasswordComplexityEnabled value, enter FALSE, and then click Next
-
For the msDS-MinimumPasswordLength value, enter 12, and then click Next
-
For the msDS-MinimumPasswordAgevalue, enter 1:00:00:00, and then click Next
-
For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next
-
For the msDS-LockoutThreshold, enter 3, and then click Next
-
For the msDS-LockoutObservationWindow, enter 0:00:30:00, and then click Next
-
For the msDS-LockoutDuration, enter (never), and then click Next
-
Right-click on CN=DBAs in the console tree, and then select Properties
-
On the CN=DBAs Properties window, select the msDS-PSOAppliesTo attribute, and then click the Edit button
-
On the Multi-valued Distinguished Name With Security Principal Editor window, click on the Add Windows Account button
-
On the Select Users, Computers, or Groups window, enter DBAs in the Enter the object names to select field, and then click OK
-
Click OK on the Multi-valued Distinguished Name With Security Principal Editor window
-
Click OK on the CN=DBAs Properties window