Windows Server 2008: Fine-grained password policies

Michael PietroforteMVP By Michael Pietroforte - Thu, May 31, 2007 - 6 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

Password polices are an essential part of any security strategy. Most users tend to use too weak passwords because they are easier to memorize, thereby, endangering your whole network. In a Windows 2000/2003 domain you can only enforce one password and lockout policy for all users. Windows Server 2008 enables you now to use multiple password policies. In my view, this is a very interesting new feature.

Different security groups in your domain have different rights. The more rights they have the stronger their passwords should be. Of course, you could work with just one policy enforcing very strong passwords for all users. However, this might stress your helpdesk, because users will forget their passwords more often as a result.

This is especially true if you are working with a short maximum password age. It makes sense to commit administrators to changing their password every month or so. But if you do this with standard users, it will certainly mean a lot of extra work for your helpdesk staff. This time might be better invested somewhere else.

So, I really like this new feature of Windows 2008. However, I don’t like how one has to configure multiple password policies. Like in Win2k/Win2k3 you can setup only one password policy for the whole domain using the Group Policy Editor. If you want to use more than one policy, you have to mess around with ADSIedit.msc.

PSOFirst, you have to create a so-called Password Settings Object (PSO) underneath the Password Settings Container which you find under System. A wizard will guide you thru the creation of the PSO asking you to set the values for attributes like password complexity, minimum password length or lockout threshold. Simon Weidner has a complete list of all password policy attributes with a detailed description of each. Note that the wizard expects negative integers for some attributes.

Next, you have to link this PSO to a global group. If you enabled “Advanced Features” in the Active Directory Users and Computes snap-in, you’ll see the System container and underneath the Password Settings Container. There, you can access the properties of the PSO you just created. You can link this PSO to a global group or user by adding its name to the msDS-PSOAppliesTo attribute. Note that you have to use the distinguished name in the form “cn=group name, ou=group container, dc=domain name, dc=com”. It is also possible to link a PSO to multiple groups.

Password Setting ContainerIt could happen that you create conflicting password policies where a user belongs to multiple groups. However, only one PSO can be effective for a certain user object. There are several rules used to calculate the so called Resultant Set of Policy (RSOP). You can check out this Technet article for more information. The best way certainly is that you specify in advance which PSO is effective. For this you can use the msDS-PasswordSettingsPrecedence attribute. A lower value for this attribute indicates that the PSO has a higher priority. If you assign a unique precedence value to each PSO, it will always be easy to determine the effective password policy for a certain user object.

Even though my short article only covered the essentials of the new fine-grained password feature, you’ve probably realized that things can get quite complicated. I certainly would prefer using Group Policy for this.

-1+1 - Rate this post
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

6 Comments- Leave a Reply

  1. [...] can find pretty good write-ups about the feature and using ADSIedit to manage it at 4sysops and Ulf’s blog. However, as Richard pointed recently, using PowerShell to manage them is so [...]

  2. [...] and love to create graphical user interface for fine-grained password policies (see overviews in 4sysops and Ulf’s blog) in my Windows 2008 lab. And here’s the result (click to see it full [...]

  3. James M says:

    Just an FYI, it is possible to have different password policies in a windows 2000/2003 domain. In windows 2000/2003, each OU can be assigned a unique group policy that overrides the default domain password policies. The group policy administration snap-in makes this easy to do and does not require ADSIedit.

  4. Michael Pietroforte Michael says:

    James, I must admit I never tried it myself, but I read numerous articles claiming that these settings cannot be assigned to OUs, but only for the whole domain. Read Technet article. Here is an example.

  5. S says:

    Hi,

    Does anyone know if the fine-grained PW policy can be used while running server 2008 at 2003 domain functional level?

    I remember reading somewhere that you could but just wanted some confirmation from anyone that may have tried and tested it?

  6. Yes, the domain functional level has to be Windows Server 2008. Please, check out my latest article about this topic.

===Leave a Comment===

Login

Lost your password?