Fine Grained Password Policy
Topics Covered
Introduction
Rules for PSO
Configuration of PSO
Fine-Grained Password Policy
Introduction
Fine grained password policy is a newly introduced concept in Windows 2008 to help
administrator manages password policy and account lockout policy efficiently as per
requirement. Prior to Windows 2008 Server, Windows 2000 and 2003 Active Directory domains,
you could apply only one password and account lockout policy for entire domain. The policy is
specified in the domain's Default Domain Policy. So specifying multiple account policy and
password policy per domain in not possible in Windows 2000 and 2003 server
In Windows Server 2008, you can use fine-grained password policies to specify multiple
password policies and apply different password restrictions and account lockout policies to
different sets of users and group within a single domain. You cannot set this policy for a
Organsiation unit (OU). For example, to increase the security of privileged accounts, you can
apply stricter settings to the privileged accounts and then apply less strict settings to the accounts
of other users. Or in some cases, you may want to apply a special password policy for accounts
whose passwords are synchronized with other data sources.
Let us understand a scenario where fine-grained password policy can be useful. Vision
Techservices has various departments like HR, TechSupport and Managers. You are required to
configure different password and account lockout policy for each department. Below are the list
of requirements
Department Password
Length
Min/Max
Password
age
Complexity
requirement
Lockout
attempt
Lockout
duration
Managers 5 1/60 Disable 5 30
Techsupport 8 0/20 Enable 3 30
HR 3 1/45 Disable 3 30
From the above list of requirement you can create a different policy for each of the department.
Fine-grained password policies are not implemented as a part of GPO. It is a separate class called
as password setting object (PSO) in Active directory that maintains the settings. To use finegrained
password policy you have to used a low-level active directory editing tool called as
ADSIedit.msc
A PSO can be applied to multiple users and group. Likewise multiple PSO can be applied to a
single user or group. But only one PSO is applied to a user or group. Each PSO has a attribute
called as PSO precedence value which helps active directory to determine which PSO should be
applied to a user or group. The precedence value with 1 has highest priority where as a
precedence with value 2 or higher has least priority.
NOTE : To apply a PSO to a user the Forest function level must be Windows 2008.
Rules that determine precedence of PSO.
1) If multiple PSO are applied to a group to which the user belongs, the PSO with the highest
precedence wins.
2) If one or more PSO are linked directly to the user, PSO linked to groups are ignored regardless of
their precedence. The user linked PSO with highest precedence wins.
3) If one or more PSO have same precedence value, Active directory must make a choice. It picks
the PSO with lowest GUID. Each object in Active directory has a unique GUID.
To store fine-grained password policies, Windows Server 2008 includes two new object classes
in the Active Directory Domain Services (AD DS) schema:
• Password Settings Container (PSC) : The Password Settings Container (PSC) object class is
created by default under the System container in the domain.
• Password Settings Object (PSO) : It stores the Password Settings objects (PSOs) for that
domain. You cannot rename, move, or delete this container.
Configuration of PSO
Steps to configure fine-grained password and account lockout policies
When the group structure of your organization is defined and implemented, you can configure
and apply fine-grained password and account lockout policies to users and global security
groups. Configuring fine-grained password and account lockout policies involves the following
steps:
Step 1: Create a PSO
Step 2: Apply PSOs to Users and Global Security Groups
Creation of PSO
To create a PSO using ADSI Edit
1) Click Start, click Run, type adsiedit.msc, and then click OK.
2) In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.
3) In Name, type the fully qualified domain name (FQDN) of the domain in which you want to
create the PSO, and then click OK.
4) Double-click the domain.
5) Double-click DC=<domain_name>.
6) Double-click CN=System.
7) Click CN=Password Settings Container.
8) All the PSO objects that have been created in the selected domain appear.
9) Right-click CN=Password Settings Container, click New, and then click Object.
10) In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click
Next.
11) In Value, type the name of the new PSO, and then click Next. In this example we have given the
name PSO_ganesh to our PSO policy.
12) Next specify the precedence value to the PSO
13) Next specify the reverse encryption to false or true.
14) Next specify the password history length
15) Next specify the password complexity to true or false
16) Next specify the minimum password length
17) Next specify the minimum password age in duration format i.e DD:HH:MM:SS
18) Next specify the Maximum password age in Duration format
19) Next specify the account lockout threshold
20) Next specify the lockout duration
21) Next click on finish to complete the process of creation of PSO
22) The PSO now appears in PSC container
Applying PSO to user or group
1. Go to Active directory users and computer snap-in.
2. Under the domain name Select System container.
3. Under the system container select Password setting container.
4. Under the password setting container you will see the the PSO you have created.
5. Right-click on the PSO and go to properties.
6. Under the properties go to the Attribute tab and select msDS-PSOAppliesTo attribute.
7. Now click on Edit button and click on “Add Windows Account” button to add the user or group
to whom the PSO applies.
8. After adding the user click OK.
9. The PSO is now successfully applied to the user.
No comments:
Post a Comment