Tuesday, November 11, 2008

Configuring Fine-Grained Password Policies: Creating a PSO (Password Security Object)

Finally! Since WS08 we are able to create separate password policies for different users within the same domain. As you can remember, in all previous versions, the password policy needed to be configured on domain level. Effectively forcing you to create a new domain if password policies needed to vary.

Unfortunately, in WS08 it is not just a case of configuring a GPO and linking it to an OU. There are several steps involved. Which I will go over in detail in this and the next post.
But before we start: the domain functional level needs to be set to Windows Server 2008, you need to have domain admin permissions and the fine-grained password policy can only be applied to users or global security groups.

1: Creating a PSO (Password Security Object)
You can create the PSO using the ADSIEDIT tool or via a ldifde script (which is what I used in this post).

Open a notepad and safe the file with .ldf extension. Then copy the next section and adjust as you prefer.

dn: CN=Kristof_PSO,CN=Password Settings Container,CN=System,DC=KrVa,DC=Local
changetype: add
objectClass: msDS-PasswordSettings
msDS-MaximumPasswordAge:-1728000000000 (FYI: 42 days DO NOT ADD THIS)
msDS-MinimumPasswordAge:-864000000000 (FYI: 1 day DO NOT ADD THIS)
msDS-LockoutObservationWindow:-18000000000 (FYI: 30 minutes DO NOT ADD THIS)
msDS-LockoutDuration:-18000000000 (FYI: 30 minutes DO NOT ADD THIS)

Values are entered in I8 format:
• For minutes, multiple your value with 600000000
• For Hours, multiple your value with 36000000000
• For Days, multiple your value with 864000000000

Then run your script in a command screen: ldifde –i –f Kristof_PSO.ldf

If you have configured your script correctly, you will get an output that looks a little like this:

Basically, your password policy is now in place. In the next post, I will go over some maintenance and extra configuration options.


No comments: