Unfortunately, in WS08 it is not just a case of configuring a GPO and linking it to an OU. There are several steps involved. Which I will go over in detail in this and the next post.
But before we start: the domain functional level needs to be set to Windows Server 2008, you need to have domain admin permissions and the fine-grained password policy can only be applied to users or global security groups.
1: Creating a PSO (Password Security Object)
You can create the PSO using the ADSIEDIT tool or via a ldifde script (which is what I used in this post).
Open a notepad and safe the file with .ldf extension. Then copy the next section and adjust as you prefer.
dn: CN=Kristof_PSO,CN=Password Settings Container,CN=System,DC=KrVa,DC=Local
changetype: add
objectClass: msDS-PasswordSettings
msDS-MaximumPasswordAge:-1728000000000 (FYI: 42 days DO NOT ADD THIS)
msDS-MinimumPasswordAge:-864000000000 (FYI: 1 day DO NOT ADD THIS)
msDS-MinimumPasswordLength:8
msDS-PasswordHistoryLength:24
msDS-PasswordComplexityEnabled:TRUE
msDS-PasswordReversibleEncryptionEnabled:FALSE
msDS-LockoutObservationWindow:-18000000000 (FYI: 30 minutes DO NOT ADD THIS)
msDS-LockoutDuration:-18000000000 (FYI: 30 minutes DO NOT ADD THIS)
msDS-LockoutThreshold:0
msDS-PasswordSettingsPrecedence:10
msDS-PSOAppliesTo:CN=All_Domain_Users_GS,OU=Groups,DC=KrVa,DC=Local
Values are entered in I8 format:
• For minutes, multiple your value with 600000000
• For Hours, multiple your value with 36000000000
• For Days, multiple your value with 864000000000
Then run your script in a command screen: ldifde –i –f Kristof_PSO.ldf
If you have configured your script correctly, you will get an output that looks a little like this:
Basically, your password policy is now in place. In the next post, I will go over some maintenance and extra configuration options.
Enjoy!
No comments:
Post a Comment