Fine-grained password policies

2017-12-07T10:47:41+00:00 February 9th, 2010|biz, Cloud|

Server 2008 AD schema onwards has a very cool feature called fine-grained password policies, these can be a bit arduous to setup, the easiest way that I’ve found to set them up is to create an ldifde answer file and import them using that.  In this example I’m creating a password policy called ServiceAccounts and applying it to the group called ServiceAccounts. 

dn: CN=ServiceAccounts, CN=Password Settings Container,CN=System,DC=robsdesk,DC=com
changetype: add
objectClass: msDS-PasswordSettings
msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000
msDS-MinimumPasswordLength:8
msDS-PasswordHistoryLength:0
msDS-PasswordComplexityEnabled:TRUE
msDS-PasswordReversibleEncryptionEnabled:FALSE
msDS-LockoutObservationWindow:-18000000000
msDS-LockoutDuration:-18000000000
msDS-LockoutThreshold:5
msDS-PasswordSettingsPrecedence:20
msDS-PSOAppliesTo:CN=ServiceAccounts,OU=DomainManagement,DC=robsdesk,DC=com

Execute this command:

Ldifde -i -f pso.ldf

This will create a policy with the following attributes:

  • Maximum password age of 2 days
  • Minimum password age of 1 day
  • Minimum password length of 8 characters
  • Password history
  • Require complexity
  • Store with reversible encryption
  • 30 minute lockout observation window
  • 30 minute lockout
  • Lockout after 5 failures
  • Precedence of 20 – like MX records the lowest ‘cost’ comes first.

Make accounts you want to apply the policy to a member of the group.  You can edit the settings in the policy using ADSIEdit by navigating to the Password Settings Container within the System container. 

More detail can be found here: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx

Cheers,

Rob