Fine-Grain Password Policy

Technical (MS) / By

Windows Server 2008 introduced Fine-Grained Password Policies to Active Directory Domain Services (AD DS), allowing administrators to have much greater control over domain security. The primary benefit to this is that different security groups can now have differing password policies, one of the most common variances being password validity duration.

The default password policy for a Windows Server 2008 AD DS has the following settings:

  1. Enforce History: 24 passwords
  2. Maximum Age: 42 days
  3. Minimum Age: 1 day
  4. Minimum Length: 7 characters
  5. Password Complexity: Enabled

When the password complexity setting is enabled, the following rules must apply to the password:

  1. Must be longer than 6 characters (overrides the minimum length setting)
  2. Cannot contain the user’s login or any part of their name (1-2 successive characters are allowed)
  3. Must use at least three of the following four character types:
    1. Uppercase Letters (A, B, C, …)
    2. Lowercase Letters (a, b, c, …)
    3. Numbers (1, 2, 3, …)
    4. Non-Alphanumeric ($, %, &, …)

These default settings can be viewed in the Group Policy Management Editor under the Default Domain Policy:

Within the editor, navigate to the following node in the policy tree:

Unfortunately, the Resultant Set of Policy (RSoP) cannot show which Password Settings Object (PSO) has been applied, however we will be able to view the resultant PSO from another location later.

Creating a PSO

There are two ways to create a PSO:

  1. Active Directory Service Interfaces Editor (ADSI Edit)
  2. Lightweight Data Interchange Format Data Exchange (LDIFDE)

The former is the most user-friendly and intuitive, so we will use it here to create our PSO. More information on using LDIFDE can be found in the links at the bottom of the page. To start with, we need to open the ADSI Editor by running “adsiedit.msc”.

From here, we need to connect to our domain, so right-click on the ‘ADSI Edit’ node and hit ‘Connect To’.

All we need to do here is enter the Fully Qualified Domain Name (FQDN) of the domain where we wish to use our new PSO in to the ‘Name’ field as above, then click ‘OK’. When this is done, the domain will appear below the ‘ADSI Edit’ node in the left pane. This works like a tree view (double-click to open each node), so navigate to the following node:

DC={domain}

CN=System

CN=Password Settings Container

The middle pane on this screen will show all of the PSOs created that belong to our domain, which is currently empty. To create a PSO here simply right-click (on either the ‘CN=Password Settings Container’ node in the left pane, or the middle pane), go to ‘New’, and select ‘Object’.

From here, follow the wizard to create the structure of your new PSO. For this example, we will create a mock PSO for our finance team meaning that we need to have a strict policy.

  1. Select the “msDS-PasswordSettings” class.
  2. Enter a name.
  3. Enter a Password Settings Precedence (this number determines which PSO will be applied when a user has multiple PSOs, the lowest number will always take precedence).
  4. Choose password encryption reversibility (True/False).
  5. Set the number of previous passwords to remember.
  6. Choose password complexity (True/False).
  7. Set the minimum password length (characters).
  8. Set the minimum password age (d:hh:mm:ss format).
  9. Set the maximum password age (d:hh:mm:ss format).
  10. Set the lockout threshold (number of attempts a user can try before they are locked out of the domain for a specified (step 12) period).
  11. Set the lockout observation window (the duration between bad passwords prior to resetting the lockout threshold, d:hh:mm:ss format).
  12. Set the lockout duration (the duration that a user is locked out of the domain following a specified (step 10) number of bad log on attempts, d:hh:mm:ss format).
  13. Hit the ‘Finish’ button!

The PSO will now be visible in the middle pane of the screen.

Altering a PSO

From the ADSI Editor, we can alter our PSOs by right-clicking and selecting ‘Properties’:

This will display an attribute editor so we can change any setting, for example alter the lockout threshold to five attempts from four. Simply select the attribute, click the ‘Edit’ button, enter the new value and hit ‘OK’.

Once the properties window is closed, the new settings will be applied to users as soon as the group policy updates.

Applying a PSO

Similarly to creation, applying a PSO can be done through the Windows interface or LDIFDE. We will use the Windows Server 2008 Server Manager here to apply our newly created PSO, so open it up and navigate to the following node:

Roles

Active Directory Domain Services

Active Directory Users and Computers

{Domain}

System

Password Settings Container

If this node is not visible, ensure that viewing advanced features is enabled by right-clicking the ‘Active Directory Users and Computers’ node and selecting ‘View’, ‘Advanced Features’.

From here, our available PSOs will be visible. Right-click on the PSO created earlier and click ‘Properties’.

In the properties window, move to the ‘Attribute Editor’ tab and find the ‘msDS-PSOAppliesTo’ attribute which should currently have the value ‘<not set>’.

When clicking the ‘Edit’ button, we are greeted with an empty list box.

Click on the ‘Add Windows Account…’ button to bring up the ‘Select Users, Computers, or Groups’ dialog box. From here, add in everyone that should be using the new PSO in the usual fashion. For this example a ‘Dept_Finance’ security group has been created using the Server Manager, so we will add that group here.

On clicking ‘OK’, the security group will now be visible in the previous list box.

Add as many items as necessary to this list, then hit ‘OK’ a couple of times. The PSO will now be applied to the relevant users.

Reviewing a Password Policy

If multiple PSOs have been applied to a user, we will need to know which one has final precedence. This information is given to us in the user’s properties under the resultant PSO attribute. To find this, navigate to the ‘Users’ node under AD DS in the Server Manager, select the user you wish to interrogate and open up the ‘Properties’ from the right-click menu.

In the properties window, go to the ‘Attribute Editor’ tab, and ensure that ‘Optional’ attributes and ‘Constructed’ read-only attributes are visible by selecting them from the ‘Filter’ menu.

Scroll down to the attribute ‘msDS-ResultantPSO’ and click ‘View’ to bring up the ‘String Attribute Editor’ dialog (note that this is read-only).

As expected, our resultant PSO is the new ‘Financial’ PSO recently created.

If the value here is ‘<not set>’, it means that the resultant PSO is the default policy (as explained at the start).

References

  • TechNet Article “Fine-Grained Password and Account Lockout Policy Step-by-Step Guide”
    • http://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx

Leave a Comment

Your email address will not be published. Required fields are marked *