WinSecWiki
Windows Security Settings
Articles
WinSecWiki
»
Windows Security Settings
»
Account Policies
»
Fine Grained Password (and Lockout) Policy
Fine Grained Password (and Lockout) Policy
Fine Grained Password (and Lockout) Policy
Windows Server 2008 Active Directory introduces a new feature called fine grained password policy - which also includes lockout policy.
With this new feature you can for the first type apply different password and lockout policies to different users within the same domain. Prior to this you had one policy for the whole domain, see
Account Policies Explained
.
Microsoft didn't do this the way I would have which would have simply been to implement it via group policy and allow you to configure different password policies at the organizational unit level.
Anyway, the way it works is you create a new object called a Password Settings Object (PSO). In the PSO you set the same maximum password age, complexity requirements, lockout thresholds, etc that you find under Account Policy in a GPO.
Then you link that PSO to individual users (bad admin!) or to groups (that's it). Note that you have to use groups where the group scope is Global (not Local or Universal) and group type is Security (not Distribution). All members of the group inherit the password and lockout policy defined in the PSO linked to that group.
It's possible for a user to end up with more than one applicable PSO to Windows arbitrates between them based on the msDS-PasswordSettingsPrecedence attribute of each PSO -
the lower the value the higher the rank.
And PSOs linked directly to a user (bad admin!) take precedence over PSOs assigned through group membership.
Figuring Out If Any PSOs Have Been Defined
Maybe you are conducting an audit and you just need to find out if any fine grained password policies have been defined. Here's what you do. Open Active Directory Users and Computers. Select View\Advanced Features. Then double click the Policies container and then the Password Settings Container. If the container is empty, there are no PSOs defined.
Configuring PSOs
There's no GUI or command line interface in Windows Server 2008 for configuring PSOs -
you would have to use ADSI Edit
. Thankfully there are a number of free tools out there to solve this problem.
Fine-Grained Password Policies PowerGUI PowerPack
- This is the one I recommend. PowerGUI is awesome -
see the FAQ on this page
.
Fine Grain Password Policy Tool
PSOMgr
Displaying a Given User's Resultant Password Policy
Use this command line: dsget user <User-DN> -effectivepso
Add Your Comments
Name:
*
Email Address:
Web Address:
Verification Code:
*
Details
Applies To:
Windows Server 2008
Article not rated yet.
Article has been viewed 3,664 times.
Options
Bookmark Article
Social Bookmarks
Comments RSS
Upcoming Webinars
3 Ways Two-Factor Authentication Can Stop APTs from Spreading
Understanding the Security Boundaries and Risks of Multiple Domains, Forests and Trust Relationships
6 Steps to Classifying Your Data
Top 6 Security Events to Monitor in SQL Server
Top 10 Security Events to Monitor in SharePoint
Additional Resources
Security Log Quick Reference Chart
Learn about the SharePoint Audit Log
Patch Tuesday Analysis
User name:
Password:
/
Forgot?
Register
Home