بحث هذه المدونة الإلكترونية

الاثنين، ٢٢ أكتوبر ٢٠١٢

How To Configuring Fine-Grained Password Policies


بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم

How To Configuring Fine-Grained Password Policies

Prior to Windows Server 2008, an Active Directory administrator was only able to configure a single Password Policy and Account Lockout Policy for any Active Directory domain. If you were faced with a subset of users whose password policy requirements were different, you were left with the choice of configuring a separate domain or forcing all users within the domain to conform to a single password policy. Beginning in Windows Server 2008, you can configure Fine-Grained Password Policies, which allow you to define multiple password policies within a single domain. 
To enable Fine-Grained Password Policies, Windows Server 2008 introduces a new object type called msds-PasswordSettings, also called a Password Settings Object (PSO). Each PSO has the following mandatory attributes:
• cn. The common name for the PSO, such as "ServiceAccountNoLockout."
• msDS-PasswordSettingsPrecedence. In a case where multiple PSOs apply, this attribute of the PSO is used as a tie-breaker to determine which PSO should apply: a PSO with a precedence of 1 will be applied over a PSO with a precedence of 5, a PSO with a precedence of 10 will be applied over a PSO with a precedence of 100, and so on.
• msDS-PasswordReversibleEncryptionEnabled. This attribute indicates whether the PSO allows passwords to be stored in Active Directory using reversible encryption. This setting should only be enabled if a particular application requires it, because it presents a significant security risk. Use “true” or “false”.
• msDS-PasswordHistoryLength. This attribute indicates the number of passwords that Active Directory should retain in memory before allowing someone to reuse a previously used password. Setting this attribute to a value of "2," for example, would prevent someone from reusing the previous two passwords that they had configured for their user account. This setting corresponds to the Enforce Password History setting in Group Policy.
• msDS-PasswordComplexityEnabled. This attribute indicates whether the PSO requires a complex password; that is, a password that uses a mixture of uppercase and lowercase letters, numbers, and symbols. The default password policy in Windows Server 2008 requires the use of complex passwords.
• msDS-Minimum Password Length. This attribute indicates the minimum length of a password defined by this PSO.
• msDS-MinimumPasswordAge. This attribute is a negative number that indicates the number of milliseconds old a password must be before it can be changed. The default value is -864000000000, which equates to one day. It should be entered in the form of: Days:Hours:Minutes:seconds

• msDS-MaximumPasswordLength. As the name indicates, this attribute identifies the maximum length of a password defined by this PSO.
• msDS-MaximumPasswordAge. This attribute is a negative number that indicates in milliseconds when a password will expire. The default value is —36288000000000, or 42 days.
It should be entered in the form of: Days:Hours:Minutes:seconds
• msDS-LockoutThreshold. This attribute indicates the number of bad login attempts permitted before an account is locked out.
• msDS-LockoutObservationWindow. This attribute is a negative number that indicates the number of milliseconds that must pass before the counter for failed logon attempts should be reset. It should be entered in the form of:
Days:Hours:Minutes:seconds, for example make it 2 minutes which is the default for the AD policy.
• msDS-LockoutDuration. This attribute is a negative number expressed in milliseconds that indicates how long an account will remain locked out. A value of "0" indicates that the account will stay locked out until it is manually unlocked by an administrator.
It should be entered in the form of:  Days:Hours:Minutes:seconds, for example make it 2 minutes which is the default for the AD policy.

Note:

The “msDS-LockoutObservationWindow” could not be longer than the “msDS-LockoutDuration”.  Also the "msDS-MaximumPasswordAge" cannot be set to 00:00:00:00


You can create one or more PSOs within a domain and then configure each PSO to apply to one or more user or group accounts within the domain; these objects are not created using the Group Policy Management Editor, but by manually creating the object using ADSIEdit or LDIFDE. When a user logs on to the domain, Windows Server 2008 uses the following steps to determine the user's effective password requirements:
1. Are one or more PSOs assigned to the individual user account? If so, use the PSO that has the winning precedence. If not, continue to step 2.
2. Are one or more PSOs assigned to a group that has the user account as a member, either directly or through nested group membership? If so, use the PSO that has the winning precedence. If not, continue to step 3.
3. If PSOs are not assigned to the user or to any group that has the user as a member, apply the domain-wide password policy and account lockout requirements “Defined by Group Policy”.

Configuration Example:




ولا تنسوني والمسلمين من صالح الدعاء

وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم