In Windows Server 2000 and Windows Server 2003 applying password policy was restricted to Default Domain Policy. With this approach if organization has to plan for different set of password policy for their users spread across the globe , it was not possible.
For the above problem , organizations running windows server 2003 can deploy additional domain and create separate or distinct Password Policies. But an ideal organization is where it has less number of domain’s to manage in a forest which forms centralized administration.
Windows Server 2008 has introduced new concept called as Fine Grained Password Policies which will allow administrators to specify multiple password policies to different set of users along with account lockout policy. Windows Server 2008 Active directory has new object class for supporting Fine Grained Password along with account lockout policies.
a) Password Settings Container ( PSC ) :
- PSC is created under System container which you can view using Active Directory Users and Computers snap in . You should view ADUC in advanced mode / advance feature enabled.
- PSC stores password settings objects ( PSO ) for that domain . PSO has the required attributes for administrators to create password policies and account lockout policies.
|LDAP Display Name||Description|
|msDS-PasswordHistoryLength||Enforce password history|
|msDS-MaximumPasswordAge||Maximum password age|
|msDS-MinimumPasswordAge||Maximum password age|
|msDS-MinimumPasswordLength||Minimum password length|
|msDS-Password-ComplexityEnabled||Passwords must meet complexity requirements|
|msDS-PasswordReversibleEncryptionEnabled||Store passwords using reversible encryption|
|msDS-LockoutDuration||Account lockout duration|
|msDS-LockoutThreshold||Account lockout threshold|
|msDS-LockoutObservationWindow||Reset account lockout after|
The above are the mandatory attributes which administrators has to define a value and along with the above attributes , there are 2 new attributes which PSO supports
- PSO Link : Multivalued attribute linked to user / Global group , its attribute name = msDS-PSOAppliesTo followed by value
- Precedence : used when multiple PSO are applied for a single user . its attribute name = msDS-PasswordSettingsPrecedence followed by value.
Some Important Considerations To Note:
- Administrators can create / modify fine grained password policies using Active Directory Users And Computers snap-in or use ADSI Edit. Make sure that you provide appropriate DN of the user or the group for the PSO.
- In order to create PSO , users have to be member of Domain Admin group
- You have to design your organizational structure / users structure before applying the password policy by identifying the different type of Users and their role. Once you identify , you can create desired group and add users to the group ( eg : Global Security Group ) than you apply the password policy directly on OU’s.
From the above explanation you have got exposed to the feature. But I haven’t explained about the usage. Lets make our hands dirty by configuring Fine Grained Password Setting Objects.
You could use existing windows server 2008 or install a new virtual machine and install windows server 2008 , then perform dcpromo create a new domain in existing or new forest. Launch Active Directory Users and Computers mmc to check for Password Settings Container, as I said above you should enable Advanced mode to view the system container, because Password Settings Container is present under System Container. Next you can create an Organizational Unit or use existing OU and create a Global Group , add few users to this group.
The above procedure has allowed you to create a Domain , OU and now we have to understand how to link Password settings object ( PSO ) to the Global Group. There is no option through ADUC to create PSO, you can use ADSIEdit.msc to create new PSO. Follow the below screen shot.
Once you select new object , you would find the below wizard where you can select msDS-PasswordSettings option and click next.
For msDS-PasswordSettingsPrecedence attribute I have selected an integer value as 3. Always the attribute with lower precedence will take the advantage when you configure and link multiple PSO to a user. Once finished click on Next.
Next windows would prompt different attributes , I would be defining those attributes without the screen shot , to make the content short.
msDS-PasswordReversibleEncryptionEnabled : Administrators can select the value as either “True “ or “False” as the attribute is of type Boolean. I have selected False for my testing and click Next.
msDS-PasswordHistoryLength: I have selected value as 3. This attribute describes more about reusing same password. Click Next
msDS-Password-ComplexityEnabled: This attribute is an Boolean value , I have configured it as False.
msDS-MinimumPasswordLength: You could select 0 to 255 integer values. I have configured it as 8.
msDS-MinimumPasswordAge: I have set this attribute as 1:05:10:00 , which means 1 day 5 hours and 10 minutes, click next
msDS-MaximumPasswordAge: I have set this attribute as 45:00:00:00 which is 45 days, click next.
msDS-LockoutThreshold: This value depends on the organizations, in banks administrators set this value as 1 , but in IT industry they set it as 3 or 5 password attempts, I have selected 3
msDS-LockoutObservationWindow: This attribute defines caching of negative passwords. Select the counter to low for eg: 00:00:05:00 , click next.
msDS-LockoutDuration: This attribute defines account lockout duration, I have selected 5 minutes and it depends on existing organizational policies, set it as 00:00:05:00 , click next.
Linking the PSO : On Create Object windows, select More Attributes tab and select Both for Select Which properties to use. Under Select Property to view select msDS-PSOAppliesTo and now you have to set the attribute path under EDIT tab
Eg: CN = <GlobalGroup>, CN = < OU Name> , DC = <dom suffix>, DC =<dom suffix>
Some Known Issues And Troubleshooting :
Once you have created the PSO and applied to particular group , there would be certain times when administrator has to delete the PSO for different reasons. When deleting the PSO one might encounter the error below
Operation failed. Error code: 0x5
Access is denied.
00000005: SecErr: DSID-xxxxxx, problem 4003
(INSUFF_ACCESS_RIGHT), data 0″
When you see cx00000005 or 0x5 code from any of the sources , it is termed that you have insufficient privileges and it decode to “Access Denied” error message.
a) Make sure the user is part of Domain Admin Group .The above error message might also occur if the user is part of Domain admin Group and user tries to login as domain administrator.
b) Next option is to make sure “Protect Object From Accidental Deletion” under Active Directory Users and Computers à <Domain Name> à System à Password Settings Container à PSO Object should not be checked.