Improvements to Active Directory in Windows Server 2008: Granular Password Policy

Windows Server 2008 provides a way for organizations to define different passwords and account lockouts for different sets of users in a domain. Strategy. In the Active Directory domain of Windows 2000 and Windows Server 2003, only one password and account lockout policy can be applied to all users in the domain. These policies are defined in the default domain policy. Therefore, it is desirable to have different passwords and account lockouts for different sets of users. Organizations have to establish password policy filters or deploy multiple domains. These choices can be costly for different reasons.

What can a granular password strategy do?

You can use a granular password policy to specify a variety of password policies within the same domain. You can use granular password policies to apply different password and account lockout policy restrictions to different sets of users within the same domain.

For example, you can use strict settings for privileged accounts and less restrictive settings for other users. In other scenarios, such as you want to apply a special policy to an account whose password is synchronized with other data sources.

Are there any other special considerations?

Granular password policy values ​​are applied to user objects (or inetOrgPerson objects that are used to replace user objects) and global security groups. By default, only members of the Domain Admins group can set this policy. However, you can also delegate other users to set this policy. But the domain functional level must be Windows Server 2008.

A granulated password policy cannot be applied directly to an OU. But to achieve this, you can use shadow groups.

A shadow group is essentially a global security group that is logically mapped to an OU to enforce granular password policies. Adding a user to an OU is like adding a member to a shadow group, and then applying a granular password policy to the shadow group. You can create even shadow groups for other OUs based on your needs. If you move users from one OU to another, you must update the account group member properties to the corresponding shadow group.

Granular password policies are not affected by custom password policy filters that you must apply in the same domain. Deploying custom password policy filters to organizations that use Windows 2000 or Windows Server 2003 as a domain controller can continue to use these filters to enforce additional password restrictions.

What new features does this feature offer?

Storing Granular Password Policies

To store granular password policies, Windows Server 2008 includes two new object classes in the AD DS schema:

Password Settings Container (Password Settings Container)

Password Settings

The password setting container is created by default under the system container of the domain. You can view it by using Active Directory Users with Calculations and enabling advanced features. It stores password settings objects (PSOs) for the domain.

You can't rename, move, or delete this container. Although you can create additional custom password setting containers, they are not counted by the Group Policy result set calculated for an object. Therefore creating an additional custom password settings container is not recommended.

The password settings object contains all the property settings that can be defined in the default domain policy (except for Kerberos settings). These settings include the following password setting properties:

Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements < BR> Saving passwords with recoverable encryption

These settings also include the following account lockout settings

Account lockout time
Account lockout threshold
Reset account lockout counter< Br>

In addition, PSO also contains the following two new properties:

PSO link: This is a multi-valued attribute linked to a user or group object

Priority: This is a use To solve the problem that multiple PSOs are applied to a single user or group object to generate conflicting integer values

These nine attribute values ​​must be defined and indispensable. Settings from multiple PSOs cannot be merged.

Defining the scope of a granular password policy

A PSO can be linked to a user (or inetOrgPerson) or group object in the same domain as the PSO.

The PSO contains attribute values ​​that describe the PSO forward link, msDS-PSOApplies. msDS-PSOApplies is a multi-valued attribute. So you can link a PSO to multiple users or groups.

A new attribute value called msDS-PSOApplied was added to the user and group objects in 2008. This property contains the backlinks of the PSO. Because the msDS-PSOApplied attribute has a backlink, a user or group can be applied by multiple PSOs. You can link the PSO to other types of groups than the global security group.

Creating a PSO using the graphical interface (adsiedit.msc)

1. Click the Start button, click Run, type adsiedit.msc, click OK
* If you are at DC Run adsidedit.msc for the first time, please continue to see the second step, if not, skip to the fourth step.
2. In the ADSI EDIT interface, right-click ADSI Edit, then click Connect to
3. In the Name field, enter the fully qualified domain name (FQDN) of the domain for which you want to create a PSO, and then click OK
4. Double-click on the domain
5. Double-click DC=<Domain Name>
6. Double-click CN=System
7. Double-click Password Settings
8. Right-click CN=Password Settings Container Click New, then click Object
9. In the Create Object dialog box, select msDS-PasswordSettings, click Next
10. Enter the name of the PSO and click Next
11. Wizard, enter mandatory attributes

msDS-PasswordReversibleEncryptionEnabled
Attribute name description example value
msDS-PasswordSettingsPrecedence Password setting priority 10
msDS-PasswordReversibleEncryptionEnabled Use password to restore password to store FALSE< BR> msDS-PasswordHistoryLength History Password Length 24
msDS-PasswordComplexityEnabled User Secret Complexity TRUE

msDS-MinimumPasswordLength User password length minimum 8
msDS-MinimumPasswordAge Password minimum usage period
(only negative values ​​are allowed, the calculation method is at the end of the text)
-864000000000 (1 day )
msDS-MaximumPasswordAge Maximum password duration
(only negative values ​​are allowed, the calculation method is at the end of the text)
-17280000000000 (20 days)
msDS-LockoutThreshold Account lockout threshold 0
msDS- LockoutObservationWindow Reset account lock counter time
(only negative values ​​are allowed, see the end of the calculation method) -18000000000 (30 minutes)
msDS-LockoutDuration Account lock time
(only negative values ​​are allowed, the calculation method is at the end of the text) -18000000000 (30 minutes)
msDS-PSOAppliesTo PSO is applied to (forward connection) CN=u1,CN=Users,

12. On the last page of the wizard, click More Properties < BR> 13. In the Select which properties to view menu, click Optional or both
14. In the drop-down menu for selecting an attribute to view Select msDS-PSOAppliesTo
15. In the Edit Properties, add the relative distinguished name of the user and global security group to which the PSO needs to be applied.
16. Repeat step 15 if you need to apply PSO to multiple users. And global security group
17. Click Finish

Attachment: Certain determinations involving time attribute values ​​
Time unit operation method
'm' minutes -60*(10^7) = - 600000000
'h' hours -60*60* (10^7) = -36000000000
'd' days -24*60*60*(10^7) = -864000000000