بسم الله والحمد لله والصلاة والسلام علي رسول الله وآله وصحبه وإخوانه وسلم
How To Configuring Fine-Grained Password Policies
Prior to Windows Server 2008, an Active Directory
administrator was only able to configure a single Password Policy and Account
Lockout Policy for any Active Directory domain. If you were faced with a subset
of users whose password policy requirements were different, you were left with
the choice of configuring a separate domain or forcing all users within the
domain to conform to a single password policy. Beginning in Windows Server
2008, you can configure Fine-Grained Password Policies, which allow you to
define multiple password policies within a single domain.
To enable Fine-Grained Password Policies, Windows Server
2008 introduces a new object type called msds-PasswordSettings, also
called a Password Settings Object (PSO). Each PSO has the
following mandatory attributes:
•
cn.
The common name for the PSO, such as "ServiceAccountNoLockout."
•
msDS-PasswordSettingsPrecedence. In a case where multiple PSOs apply, this
attribute of the PSO is used as a tie-breaker to determine which PSO should
apply: a PSO with a precedence of 1 will be applied over a PSO with a
precedence of 5, a PSO with a precedence of 10 will be applied over a PSO with
a precedence of 100, and so on.
•
msDS-PasswordReversibleEncryptionEnabled. This attribute indicates whether the PSO
allows passwords to be stored in Active Directory using reversible encryption.
This setting should only be enabled if a particular application requires it,
because it presents a significant security risk. Use “true” or “false”.
•
msDS-PasswordHistoryLength. This attribute indicates the number of
passwords that Active Directory should retain in memory before allowing someone
to reuse a previously used password. Setting this attribute to a value of
"2," for example, would prevent someone from reusing the previous two
passwords that they had configured for their user account. This setting
corresponds to the Enforce Password History setting in Group Policy.
•
msDS-PasswordComplexityEnabled. This attribute indicates whether the PSO
requires a complex password; that is, a password that uses a mixture of
uppercase and lowercase letters, numbers, and symbols. The default password
policy in Windows Server 2008 requires the use of complex passwords.
•
msDS-Minimum Password Length. This attribute indicates the minimum length
of a password defined by this PSO.
•
msDS-MinimumPasswordAge. This attribute is a negative number that indicates the number
of milliseconds old a password must be before it can be changed. The default value
is -864000000000, which equates to one day. It should be entered in the form
of: Days:Hours:Minutes:seconds
•
msDS-MaximumPasswordLength. As the name indicates, this attribute
identifies the maximum length of a password defined by this PSO.
•
msDS-MaximumPasswordAge. This attribute is a negative number that indicates in milliseconds
when a password will expire. The default value is —36288000000000, or 42 days.
It
should be entered in the form of: Days:Hours:Minutes:seconds
•
msDS-LockoutThreshold. This attribute indicates the number of bad login
attempts permitted before an account is locked out.
•
msDS-LockoutObservationWindow. This attribute is a negative number that
indicates the number of milliseconds that must pass before the counter for
failed logon attempts should be reset. It should be entered in the form of:
Days:Hours:Minutes:seconds, for example make it
2 minutes which is the default for the AD policy.
•
msDS-LockoutDuration. This attribute is a negative number expressed in
milliseconds that indicates how long an account will remain locked out. A value
of "0" indicates that the account will stay locked out until it is
manually unlocked by an administrator.
It should be entered in the form of: Days:Hours:Minutes:seconds, for example
make it 2 minutes which is the default for the AD policy.
Note:
The “msDS-LockoutObservationWindow” could not be
longer than the “msDS-LockoutDuration”. Also
the "msDS-MaximumPasswordAge" cannot be set to 00:00:00:00
You can create one or more
PSOs within a domain and then configure each PSO to apply to one or more user
or group accounts within the domain; these objects are not created using the
Group Policy Management Editor, but by manually creating the object using
ADSIEdit or LDIFDE. When a user logs on to the domain, Windows Server 2008 uses
the following steps to determine the user's effective password requirements:
1. Are one or more PSOs
assigned to the individual user account? If so, use the PSO that has the
winning precedence. If not, continue to step 2.
2. Are one or more PSOs
assigned to a group that has the user account as a member, either directly or
through nested group membership? If so, use the PSO that has the winning
precedence. If not, continue to step 3.
3. If PSOs are not assigned
to the user or to any group that has the user as a member, apply the
domain-wide password policy and account lockout requirements “Defined by Group
Policy”.
Configuration Example:
ولا تنسوني والمسلمين من صالح الدعاء
وصلي الله وسلم وبارك علي النبي وآله وصحبه وإخوانه وسلم
ليست هناك تعليقات:
إرسال تعليق
ضع تعليقك هنا ثم اضغط علي زرار كتابة تعليق وتذكر قوله تعالي: "ما يلفظ من قول إلا لديه رقيب عتيد"، سورة ق