Password polices are an essential part of any security strategy. Most users tend to use too weak passwords because they are easier to memorize, thereby, endangering your whole network. In a Windows 2000/2003 domain you can only enforce one password and lockout policy for all users. Windows Server 2008 enables you now to use multiple password policies. In my view, this is a very interesting new feature.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
Different security groups in your domain have different rights. The more rights they have the stronger their passwords should be. Of course, you could work with just one policy enforcing very strong passwords for all users. However, this might stress your helpdesk, because users will forget their passwords more often as a result.
This is especially true if you are working with a short maximum password age. It makes sense to commit administrators to changing their password every month or so. But if you do this with standard users, it will certainly mean a lot of extra work for your helpdesk staff. This time might be better invested somewhere else.
So, I really like this new feature of Windows 2008. However, I don't like how one has to configure multiple password policies. Like in Win2k/Win2k3 you can setup only one password policy for the whole domain using the Group Policy Editor. If you want to use more than one policy, you have to mess around with ADSIedit.msc.
First, you have to create a so-called Password Settings Object (PSO) underneath the Password Settings Container which you find under System. A wizard will guide you thru the creation of the PSO asking you to set the values for attributes like password complexity, minimum password length or lockout threshold. Simon Weidner has a complete list of all password policy attributes with a detailed description of each. Note that the wizard expects negative integers for some attributes.
Next, you have to link this PSO to a global group. If you enabled "Advanced Features" in the Active Directory Users and Computes snap-in, you'll see the System container and underneath the Password Settings Container. There, you can access the properties of the PSO you just created. You can link this PSO to a global group or user by adding its name to the msDS-PSOAppliesTo attribute. Note that you have to use the distinguished name in the form "cn=group name, ou=group container, dc=domain name, dc=com". It is also possible to link a PSO to multiple groups.
It could happen that you create conflicting password policies where a user belongs to multiple groups. However, only one PSO can be effective for a certain user object. There are several rules used to calculate the so called Resultant Set of Policy (RSOP). You can check out this Technet article for more information. The best way certainly is that you specify in advance which PSO is effective. For this you can use the msDS-PasswordSettingsPrecedence attribute. A lower value for this attribute indicates that the PSO has a higher priority. If you assign a unique precedence value to each PSO, it will always be easy to determine the effective password policy for a certain user object.
Subscribe to 4sysops newsletter!
Even though my short article only covered the essentials of the new fine-grained password feature, you've probably realized that things can get quite complicated. I certainly would prefer using Group Policy for this.
Want to write for 4sysops? We are looking for new authors.
Just an FYI, it is possible to have different password policies in a windows 2000/2003 domain. In windows 2000/2003, each OU can be assigned a unique group policy that overrides the default domain password policies. The group policy administration snap-in makes this easy to do and does not require ADSIedit.
James, I must admit I never tried it myself, but I read numerous articles claiming that these settings cannot be assigned to OUs, but only for the whole domain. Read Technet article. Here is an example.
Does anyone know if the fine-grained PW policy can be used while running server 2008 at 2003 domain functional level?
I remember reading somewhere that you could but just wanted some confirmation from anyone that may have tried and tested it?
Yes, the domain functional level has to be Windows Server 2008. Please, check out my latest article about this topic.