Back in March, I wrote about one of the important new features in Windows Server 2008, the Fine-grained password policy (also a great post for learning more about passwords in general).  In any case, there has been an increase in available documentation and tools relating to FGPP (I don't know if that's a real acronym, I just wanted to save myself some typing ;)

• AD DS: Fine-Grained Password Policies
• Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Some Microsoft MVPs have also created some nice GUI tools to configure Fine Grained Password Policies:

• Christoffer Andersson created the Fine Grained Password Policy Tool.
• Dmitry Sotnikov created the PowerGUI, available here.
• Arlindo has a nice overview of the above tools (with screenshots).

As I am busy procrastinating (and avoiding work on a presentation I need to give on Monday), I thought I would walk through the official Microsoft way of creating the password policies.  In case you have installed the Release Candidate of Windows Server 2008 and plan on following along, you will want to make sure that you are running at the 2008 functional level, and that you have the Active Directory Domain Services role loaded.

Let's go...

1. Start --> Run --> gpmc.msc
2. Expand Forest: yourforest.com.
3. Expand Domains\yourdomain.com.
4. Right Click Default Domain Policy and Click Edit.
5. Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

Here you can see your default domain-wide password policy.

Now let's create a custom password policy that can be assigned directly to a user or group.  We're going to be using adsiedit, so prepare to roll your sleeves up!  Close out of all open windows, and:

1. Start --> Run --> adsiedit.msc

2. Right-click on ADSIEdit, connect to:

3. Hit Ok.

4. Expand to Default Naming content\DC=yourdomain,DC=com\CN=System\CN=Password Settings Container\

3. Right-Click Password Settings Container and click New – Object.

4. Select msDS-PasswordSettings, click next.

5. Value: SeansPasswordSettings, click next. (or whatever you want to name your Password Settings Object (PSO)

The next set of options are all EXTREMELY cryptic.  I will put a brief explanation next to each, but if you are doing this in real life, you will want to consult the settings reference on step 1 of the Step-by-Step Guide.

6. Under msDS-PasswordsSettingsPrecedence set the value of 10, click next. (This value needs to be a number larger than zero.  If you have multiple PSOs, the PSO with the lowest priority takes precedence).

7. Fill in the following attributes for password settings:

· msDS-PasswordReversibleEncryptionEnabled (self explanatory)
Value = False

· msDS-PasswordHistoryLength (Also self explanatory... you can keep up to 1024)
Value = 15
(domain default: 24)

· msDS-PasswordComplexityEnabled (Upper, lower, number, blah blah blah)
Value = True

· msDS-MinimumPasswordLength (If only everyone were using pass-phrases instead of passwords)

Value = 12
(domain default(chars): 7)

Now we get into crazy land. MinimumPasswordAge, MaximumPasswordAge, LockoutObservationWindow, and LockoutDuration must all be entered in I8 format.

To quote from TechNet:

When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.

When you use the ldifde command to create PSOs, you must enter the values of these attributes in I8 format, which stores time in the intervals of -100 nanoseconds. (Schema: attributeSyntax = 2.5.5.16 (I8).) Windows Server 2003 Default Domain Policy employs this exact time unit for its corresponding time-related attributes. To set these attributes to appropriate values, convert time values in minutes, hours, or days to time values in the intervals of 100 nanoseconds, and then precede the resultant values with a negative sign.

You can use the following conversion guide and multiplication factors to obtain the corresponding I8 values.

Time unit

Multiplication factor

m minutes

-60*(10^7) = - 600000000

h hours

-60*60* (10^7) = -36000000000

d days

-24*60*60*(10^7) = -864000000000

For example, if you want to set the msDS-MaximumPasswordAge to 10 days, multiply 10 by -864000000000 and apply the resulting I8 value to the msDS-MaximumPasswordAge attribute (in this example, -8640000000000). If you want to set msDS-LockoutDuration to 30 minutes, multiply 30 by -600000000 to get the corresponding I8 value (in this example, -18000000000).

· msDS-MinimumPasswordAge
Value = -864000000000 (Nine zeroes)
(domain default: 1 day = -864000000000)

· msDS-MaximumPasswordAge
Value = -36288000000000 (Nine zeroes)
(domain default: 42 days = -36288000000000)

8. Fill in the following attributes for account lockout settings:

· msDS-LockoutThreshold

Value = 0
(domain default: 0 = don‘t lockout accounts after invalid passwords)

· msDS-LockoutObservationWindow

Value = -18000000000 (Nine zeroes)
(domain default: 6 min = -18000000000)

· msDS-LockoutDuration

Value = -18000000000 (Nine zeroes)
(domain default: 6 min = -18000000000)

9. Click Finished.

If you get an error message about improper values, you probably forgot to add a "-" before some of the numbers listed above.  Don't feel bad if you did, I manage to do it every time I run through this :)  If you did everything right, it should look something like this:

Go ahead and hit "OK" and then close out of all open windows.  Now that you have created a password policy, we need to apply it to a user/group.  In order to do so, you must have "write" permissions on the PSO object.  We're doing this in a lab, so I'm Domain Admin.  Write permissions are not a problem :)

1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box.

7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.

To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list.

Voila!  Hit "OK" a couple of times, and your users/groups now have a custom password policy assigned to them.  No longer do you have to have separate domains for your developers and standard users.  Good times :)