Forum

Step-by-Step Guide ...
 
Bildirimler
Hepsini Temizle

[Çözüldü] Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration - 2008 server

1 Yazılar
1 Üyeler
0 Reactions
1,316 Görüntüleme
(@rahmidilli)
Gönderiler: 2458
Famed Member
Konu başlatıcı
 

http://technet.microsoft.com/en-us/library/cc770842.aspx

This step-by-step guide provides instructions for configuring and
applying fine-grained password and account lockout policies for
different sets of users in Windows Server® 2008 domains.

In
Microsoft® Windows® 2000 and Windows Server 2003 Active Directory
domains, you could apply only one password and account lockout policy,
which is specified in the domain's Default Domain Policy,
to all users in the domain. As a result, if you wanted different
password and account lockout settings for different sets of users, you
had to either create a password filter or deploy multiple domains. Both
options were costly for different reasons.

In Windows
Server 2008, you can use fine-grained password policies to specify
multiple password policies and apply different password restrictions
and account lockout policies to different sets of users within a single
domain. For example, to increase the security of privileged accounts,
you can apply stricter settings to the privileged accounts and then
apply less strict settings to the accounts of other users. Or in some
cases, you may want to apply a special password policy for accounts
whose passwords are synchronized with other data sources.

To
store fine-grained password policies, Windows Server 2008 includes two
new object classes in the Active Directory Domain Services (AD DS)
schema:

  • Password Settings Container
  • Password Settings

The Password Settings Container
(PSC) object class is created by default under the System container in
the domain. It stores the Password Settings objects (PSOs) for that
domain. You cannot rename, move, or delete this container.

For more information, see Appendix A: Fine-Grained Password and Account Lockout Policy Review.

Who should use this guide?

This guide is intended for the following audiences:

  • Information technology (IT) planners and analysts who are evaluating the product from a technical perspective
  • Enterprise IT planners and designers for organizations
  • Administrator or managers who are responsible for IT security

Scenario overview

Define your organizational structure

Before
you configure fine-grained password and account lockout policies,
define your organizational structure by creating necessary groups and
adding or moving users to or between the groups. It is important to
consider the unique nature of your organization when you plan for the
most efficient use of the fine-grained password and account lockout
policies feature. How many different password policies do you need? A
typical scenario might include 3 to 10 PSOs and the following password
policies:

  • An Administrator password policy with a strict setting (passwords expire, for example, every 14 days)
  • An average user password policy with a setting that is not strict (passwords expire, for example, every 90 days)
  • A service account password policy targeted at service accounts (minimum password length, for example, 32 characters)

Taking
advantage of your existing group structure is equally important. What
are its characteristics? Do you have existing Administrators or Users
groups? The goal is to shape your group structure so that it maps
directly to the desired application of the newly defined fine-grained
password and account lockout policies.

PSOs cannot be applied to
organizational units (OUs) directly. If your users are organized into
OUs, consider creating "shadow groups" for these OUs and then applying
the newly defined fine-grained password and account lockout policies to
them. A shadow group is a global security group that is logically
mapped to an OU to enforce a fine-grained password and account lockout
policy. Add OU users as members to the newly created shadow group, and
then apply the fine-grained password and account lockout policy to this
shadow group. If you move a user from one OU to another, you must
update user memberships in the corresponding shadow groups.

Applying PSOs directly to global security groups, as opposed to directly to OUs, provides the following benefits:

  • Groups offer better flexibility for managing various sets of users than OUs.
  • Most Active Directory deployments use a systematic group structure to
    organize their users. Also, by default AD DS in Windows Server 2008
    creates various groups for administrative accounts: Domain Admins,
    Enterprise Admins, Schema Admins, Server Operators, Backup Operators,
    and others.
  • Group structure offers easier deployment of fine-grained password
    policies, and you do not have to restructure your organizations’
    directories by creating OUs. Modifying an OU hierarchy requires
    detailed planning, and it increases the risk of introducing unforced
    errors because it has a significant effect on Group Policy application
    and access control list (ACL) inheritance.

Requirements and special considerations for fine-grained password and account lockout policies

  • Domain functional level:
    ImportantImportant
    For the fine-grained password and account lockout policies to function
    properly in a given domain, the domain functional level of that domain
    must be set to Windows Server 2008.
  • Permissions:
    By default, only members of the Domain Admins group can create PSOs.
    Only members of this group have the Create Child and Delete Child
    permissions on the Password Settings Container object. In addition,
    only members of the Domain Admins group have Write Property permissions
    on the PSO by default. Therefore, only members of the Domain Admins
    group can apply a PSO to a group or user. You do not have to have
    permissions on the user object or group object to be able to apply a
    PSO to it. To apply a PSO to the user object or group object, you must
    have Write permissions on the PSO object.
  • Permissions delegation:
    You can delegate Read Property permissions on the default security
    descriptor of the PSO object in the schema to any other group (such as
    Help desk personnel or a management application) in the domain or
    forest. This can also prevent a user from seeing his or her password
    settings in the directory. The user can read the msDS-ResultantPSO or the msDS-PSOApplied
    attributes, but these attributes display only the distinguished name of
    the PSO that applies to the user. The user cannot see the settings
    within that PSO. For more information, see Appendix C: Group-Based Management of Fine-Grained Password and Account Lockout Policies.
  • Applying fine-grained password policies:
    Fine-grained password policies apply only to user objects (or
    inetOrgPerson objects if they are used instead of user objects) and
    global security groups. They cannot be applied to Computer objects.
  • Password filters:
    Fine-grained password policies do not interfere with custom password
    filters that you might use in the same domain. Organizations that have
    deployed custom password filters to domain controllers running
    Windows 2000 or Windows Server 2003 can continue to use those password
    filters to enforce additional restrictions for passwords.
  • Custom PSCs:
    In addition to the default PSC, administrators can create their own
    custom PSCs under the System container. However, this action is not
    recommended because the PSOs that are held in these custom PSCs are not
    taken into consideration by the Resultant Set of Policy logic.
  • Exceptional PSOs:
    If you want a certain group member to conform to a policy that is
    different from the policy that is assigned to the entire group, you can
    assign the exceptional PSO directly to that particular user. If you
    apply a PSO directly to the user (that is, if you apply it to the group
    that the user is a member of), it takes precedence over all implicit
    PSOs that might be linked to it when msDS-ResultantPSO
    for that user is being determined. However, if there are two or more
    exceptional PSOs that are applied directly to the user object (this is
    not recommended), the exceptional PSO with the smallest globally unique
    identifier (GUID) takes precedence.

Steps to configure fine-grained password and account lockout policies

When
the group structure of your organization is defined and implemented,
you can configure and apply fine-grained password and account lockout
policies to users and global security groups. Configuring fine-grained
password and account lockout policies involves the following steps:

ImportantImportant
You can also manage fine-grained password and account lockout policies
by creating corresponding global security groups for all existing PSOs
and by assigning (delegating) appropriate permissions on these global
security group objects to the selected users or groups from your
organization, for example, support personnel. For more information, see
Appendix C: Group-Based Management of Fine-Grained Password and Account Lockout Policies

For more information, see

 

Example step-by-step guide to configuring fine-grained password policies in Windows Server 2008

Johnpolicelli 

In the following steps,
you will configure a fine-grained password policy in Windows Server
2008 that has the following settings:

Option Setting
Enforce password history 24 passwords remembered
Maximum password age 30 days
Minimum password age 1 day
Minimum password length 12 characters
Passwords must meet complexity requirements Disabled

 

Option Setting
Account lockout duration 0
Account lockout threshold 3
Reset account lockout counter after 30 minutes

Note: domainname in the following steps should be replaced with the NETBIOS name of your domain.

  1. Logon
    to a Windows Server 2008 domain controller using an account that has
    membership in the Domain Admins group, or equivalent permissions.
  2. Go to Start, Administrative Tools, and then select Active Directory Users and Computers
  3. Expand domainname.com, right-click on the Users container, select New, and then select Group.
  4. On the New Object – Group window, enter DBAs into the Group Name field, and then click OK
  5. Close Active Directory Users and Computers
  6. Click Start, click RUN, type ADSIEDIT.MSC, and then click OK
  7. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to
  8. In the Name field, enter domainname.com, and then click OK
  9. Double-click domainname.com in the console tree, double-click DC=domainname,DC=com, double-click CN=System, and then click CN=Password Settings Container
  10. Right-click CN=Password Settings Container in the console tree, click New, and then click Object
  11. In the Create Object dialog box, under Select a class, click msDC-PasswordSettings, and then click Next.
  12. In the Create Object dialog box, enter DBAs in the Value field, and then click Next.
  13. For the msDS-PasswordSettingsPrecedence value, enter 1, and then click Next
  14. For the msDS-PasswordReversibleEncryptionEnabled value, enter FALSE, and then click Next
  15. For the msDS-PasswordHistoryLength value, enter 24, and then click Next
  16. For the msDS-PasswordComplexityEnabled value, enter FALSE, and then click Next
  17. For the msDS-MinimumPasswordLength value, enter 12, and then click Next
  18. For the msDS-MinimumPasswordAgevalue, enter 1:00:00:00, and then click Next
  19. For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next
  20. For the msDS-LockoutThreshold, enter 3, and then click Next
  21. For the msDS-LockoutObservationWindow, enter 0:00:30:00, and then click Next
  22. For the msDS-LockoutDuration, enter (never), and then click Next
  23. Right-click on CN=DBAs in the console tree, and then select Properties
  24. On the CN=DBAs Properties window, select the msDS-PSOAppliesTo attribute, and then click the Edit button
  25. On the Multi-valued Distinguished Name With Security Principal Editor window, click on the Add Windows Account button
  26. On the Select Users, Computers, or Groups window, enter DBAs in the Enter the object names to select field, and then click OK
  27. Click OK on the Multi-valued Distinguished Name With Security Principal Editor window
  28. Click OK on the CN=DBAs Properties window

 

 
Gönderildi : 19/08/2008 18:21

Paylaş: