Windows Server 2008 - Fine Grained Password Policy Walkthrough

Windows Server 2008 - Fine Grained Password Policy Walkthrough

  • Comments 10
  • Likes

Back in March, I wrote about one of the important new features in Windows Server 2008, the Fine-grained password policy (also a great post for learning more about passwords in general).  In any case, there has been an increase in available documentation and tools relating to FGPP (I don't know if that's a real acronym, I just wanted to save myself some typing ;)

Some Microsoft MVPs have also created some nice GUI tools to configure Fine Grained Password Policies:

As I am busy procrastinating (and avoiding work on a presentation I need to give on Monday), I thought I would walk through the official Microsoft way of creating the password policies.  In case you have installed the Release Candidate of Windows Server 2008 and plan on following along, you will want to make sure that you are running at the 2008 functional level, and that you have the Active Directory Domain Services role loaded.

Let's go...

  1. Start --> Run --> gpmc.msc
  2. Expand Forest: yourforest.com.
  3. Expand Domains\yourdomain.com.
  4. Right Click Default Domain Policy and Click Edit.
  5. Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

Here you can see your default domain-wide password policy.

image

Now let's create a custom password policy that can be assigned directly to a user or group.  We're going to be using adsiedit, so prepare to roll your sleeves up!  Close out of all open windows, and:

1. Start --> Run --> adsiedit.msc

2. Right-click on ADSIEdit, connect to:

image

3. Hit Ok.

4. Expand to Default Naming content\DC=yourdomain,DC=com\CN=System\CN=Password Settings Container\

3. Right-Click Password Settings Container and click NewObject.

image

4. Select msDS-PasswordSettings, click next.

5. Value: SeansPasswordSettings, click next. (or whatever you want to name your Password Settings Object (PSO)

The next set of options are all EXTREMELY cryptic.  I will put a brief explanation next to each, but if you are doing this in real life, you will want to consult the settings reference on step 1 of the Step-by-Step Guide.

6. Under msDS-PasswordsSettingsPrecedence set the value of 10, click next. (This value needs to be a number larger than zero.  If you have multiple PSOs, the PSO with the lowest priority takes precedence).

7. Fill in the following attributes for password settings:

· msDS-PasswordReversibleEncryptionEnabled (self explanatory)
Value = False

· msDS-PasswordHistoryLength (Also self explanatory... you can keep up to 1024)
Value = 15
(domain default: 24)

· msDS-PasswordComplexityEnabled (Upper, lower, number, blah blah blah)
Value = True

· msDS-MinimumPasswordLength (If only everyone were using pass-phrases instead of passwords)

Value = 12
(domain default(chars): 7)

Now we get into crazy land. MinimumPasswordAge, MaximumPasswordAge, LockoutObservationWindow, and LockoutDuration must all be entered in I8 format.

To quote from TechNet:

When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.

When you use the ldifde command to create PSOs, you must enter the values of these attributes in I8 format, which stores time in the intervals of -100 nanoseconds. (Schema: attributeSyntax = 2.5.5.16 (I8).) Windows Server 2003 Default Domain Policy employs this exact time unit for its corresponding time-related attributes. To set these attributes to appropriate values, convert time values in minutes, hours, or days to time values in the intervals of 100 nanoseconds, and then precede the resultant values with a negative sign.

You can use the following conversion guide and multiplication factors to obtain the corresponding I8 values.

Time unit

Multiplication factor

m minutes

-60*(10^7) = - 600000000

h hours

-60*60* (10^7) = -36000000000

d days

-24*60*60*(10^7) = -864000000000

For example, if you want to set the msDS-MaximumPasswordAge to 10 days, multiply 10 by -864000000000 and apply the resulting I8 value to the msDS-MaximumPasswordAge attribute (in this example, -8640000000000). If you want to set msDS-LockoutDuration to 30 minutes, multiply 30 by -600000000 to get the corresponding I8 value (in this example, -18000000000).

· msDS-MinimumPasswordAge
Value = -
864000000000 (Nine zeroes)
(domain default: 1 day = -864000000000)

· msDS-MaximumPasswordAge
Value = -36288000000000 (Nine zeroes)
(domain default: 42 days = -36288000000000)

8. Fill in the following attributes for account lockout settings:

· msDS-LockoutThreshold

Value = 0
(domain default: 0 = don‘t lockout accounts after invalid passwords)

· msDS-LockoutObservationWindow

Value = -18000000000 (Nine zeroes)
(domain default: 6 min = -18000000000)

· msDS-LockoutDuration

Value = -18000000000 (Nine zeroes)
(domain default: 6 min = -18000000000)

9. Click Finished.

If you get an error message about improper values, you probably forgot to add a "-" before some of the numbers listed above.  Don't feel bad if you did, I manage to do it every time I run through this :)  If you did everything right, it should look something like this:

image

Go ahead and hit "OK" and then close out of all open windows.  Now that you have created a password policy, we need to apply it to a user/group.  In order to do so, you must have "write" permissions on the PSO object.  We're doing this in a lab, so I'm Domain Admin.  Write permissions are not a problem :)

  1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).
  2. On the View menu, ensure that Advanced Features is checked.
  3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container
  4. In the details pane, right-click the PSO, and then click Properties.
  5. Click the Attribute Editor tab.
  6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

image

If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box.

7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.

To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list.

image

Voila!  Hit "OK" a couple of times, and your users/groups now have a custom password policy assigned to them.  No longer do you have to have separate domains for your developers and standard users.  Good times :)

Comments
  • PingBack from http://www.kefrotate.com/?p=1959

  • looking through my feeds i ran into a couple of nice links, I'd like to share with you all. The first

  • One of my colleagues pointed out the new Fine-grained password policy feature in Windows Server 2008

  • Can you confirm that the forest functional level can be windows 2003 but the domain functional level can be Windows 2008? you Technet doc does not say.

  • Hi

    If anyone needs PSO manager, you can use Password Policy Manager, which can be found here: http://www.parhelia-tools.com

    here is description:

    Password Policy Manager (PPM) tool is a simple tool that allows you to create new Password Security Object (PSO) and apply it to selected objects (users or groups). You can also use this tool to search, modify or delete any existing PSO. This applies only to Windows 2008 domains.

    Regards

  • I need to set incremental threshold for auto unlock as under:

      1. First auto unlock – 30 minutes

      2. Second auto unlock – 90 minutes

      3. Third attempt – permanently locked

    Thanks in dvance

  • The Active Directory 2008 Training Kit from Microsoft mentioned a utility from SpecOps that is free.  It offers an easy to use interface to view all of your password polices.

  • If a user tries to enter a password that is one of the previously remembered ones (thanks to enforce password history GPO), a message box states that it does not meet complexity requirements.  This is vague and does not tell the user exactly WHY the new password they are trying to change is not working.  Is there any place to customize the dialog box message that the system comes back with when a password change fails?

  • Hi, a minor correction...  The domain default values of -18,000,000,000 in step 8 would be 30 minutes, not 6 minutes.

    Thanks for the great article!

  • Hi , Thanks for this nice article.we dont need have to use a third party tools any more. Moreover just wanted to know like for instance if a user password is about to expire and now the admin wants to notify him that you need to upgrade the password then at that case what should be do, i.e can you please provide little bit of more information on the same.

    There are third party tools that are providing this facility all for the same.

    Please update if its like is it possible or not.

    Thanks and again a cheers for such a nice and beautiful post.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment