Win 2008 Precision Password Policy and Account Lockout Strategy

In the Active Directory domain of Windows 2000 and Windows 2003, we can only apply a password policy and account lockout policy for all users in the Default Domain Policy, if we need to create different passwords and accounts for some special users. Locking the policy, we can only use the method of creating a new domain, because the previous domain can only use one password and account lockout policy.

A new feature in Windows Server 2008 ADDS, called a precision password policy, can be used to define multiple password policies in a domain and apply it to users or global security groups. Not used in the OU, in order to use this function, we need to use the ADSIEdit editor to create Password Settings objects (PSOs) for the domain, the following describes the specific operation:

First open the ADSIEdit editor in 08DC, target location below:

in "CN = Password Settings Container" select new right node, the pop-up window, select "msDS-PasswordSettings" type, as shown below:

in immediately Enter a name for the new Password Settings objects in the window, as shown below:

Set a value for the msDS-PasswordSettingsPrecedence property in the pop-up window. For priority setting, if there are multiple password policies in the domain that are directly linked to the user, With the minimum value of the priority policy, as shown below:

< BR> Set a Boolean value for the msDS-PasswordReversibleEncryptionEnabled property in the pop-up window. You can set FALSE /TRUE. This property corresponds to the "Save password with reversible encryption" setting in Group Policy. After setting FALSE, click Next. ", as shown below:

Set a value for the msDS-PasswordHistoryLength attribute in the pop-up window, which corresponds to the "Force Password History" setting in Group Policy. The available values ​​range from 0 to 1024. Click "Next" after this setting, as shown below:

sets a Boolean value in a pop-up window for the msDS-PasswordComplexityEnabled property, you can set FALSE /TRUE, the attribute in the corresponding group policy "password must meet complexity requirements" provided in this setting enabled, clicking "Next", as shown below:

the pop-up window Set a value for the msDS-MinimumPasswordLength attribute. The available value range is 0-255. This attribute corresponds to the “Password Length Minimum” setting in the group policy. After setting in the input box, click “Next”, as shown in the figure below. shows:

in a popup window attribute is msDS-MinimumPasswordAge Set a value in the group policy corresponding to the "small password life" setting, the time format is "00:00:00:00", set here to 1 day, 1:00:00:00, set the order click "Next", as shown below:

in a popup window msDS-MaximumPasswordAge attribute set to a value of the property in group policy corresponding "maximum password age", supra time format, after the setting shown click "Next", as shown below:

in a pop-up window set value msDS-LockoutThreshold attribute, which corresponds to the "account lockout threshold" in group policy, the available range of 0-6553 5, after setting clicking "Next", as shown below:

in a pop-up window is a property msDS-LockoutObservationWindow time value The format is the same as the previously set time format. This attribute corresponds to the “Reset Account Lockout Counter” setting in Group Policy. Set it to 30 minutes here. Click “Next” after setting, as shown below:

in a pop-up window is a property msDS-LockoutDuration in the format Same as above, this attribute corresponds to the “Account Lock Time” setting in Group Policy. After setting, click “Next”, as shown below:

Upon completion window, click "Finish", as shown below:

< BR> At this point, a custom password and account lockout policy has been created, so how to apply it on some accounts? We also need to do the following simple steps...

Double-click the created Password Settings objects in the ADSIEdit returned after the above operation, and find the msDS-PSOAppliesTo attribute in the pop-up property editing window. click "edit", as shown below:

in a pop-up window to select a target object apply Password Settings objects of this, in this selection has been previously created test global security group, select Done click "OK", as shown below:

At this point, the policy has been applied to the selected group in the above, as long as it belongs to the members of the test group will use passwords and account created above the lock Strategy, let's test the results, open ADUC, first test a user who does not belong to the test group, right click on the user1 account, select reset password, enter 123 and click OK, as shown below:

can see from the above screenshot user1 account password has been reset successfully Because the Default Domain Policy has been previously set to disable password complexity and the minimum password length is 0, you can use this simple password, now add the user1 account to the test group, as shown below:

>

can see the application on the policy front user1 created immediately after the test to join the group, simple password policy before now can not be used.