Check out
http://YouTube.com/ITFreeTraining or
http://itfreetraining.com for more of our always free training videos.
Active Directory allows multiple password policies to be created in the same domain. This is referred to as fine grained password policy. This video looks at how to use multiple passwords policies applying them to users and groups and how to use shadow groups to apply a password policy to an organizational unit.
PDF handout
http://ITFreeTraining.com/handouts/70...
Before Fine Grained Passwords
Previously, if an administrator wanted to have separate password policies they would need to create separate domains. For example, if they had a secure domain and they wanted the users in the secure domain to have a longer password, a separate domain would need to be created. This is no longer required as multiple password policies can be created and used in the same domain.
Fine-Grained Passwords
In order to use fine grained passwords, your domain needs to be Windows Server 2008 Domain Functional Level or higher. This essentially means that all Domain Controllers in your domain need to be Windows Server 2008 or higher and the domain functional level raised to at least Windows Server 2008. Additional password policies are applied to users or groups not OU's.
Password Settings Object (PSO)
A Password Settings Object or PSO contains all the same password settings that exist in the Default Domain Policy. In order to change settings and apply them to users and groups, you need to create a new PSO with the same settings as the Default Domain Policy except for the settings you want to change. You cannot choose to change a single setting, all settings must be configured.
When multiple PSO's are used
Each PSO object has a setting called Password Settings Precedence. This value determines which PSO will be used when multiple PSO objects are being applied. The PSO with the lowest value will be used with the lowest value being 1. If there are multiple PSO's with the same Password Settings Precedence value than the PSO with the lowest GUID will be used. Every object in Active Directory has a unique GUID which acts like a serial number for the object, thus one PSO will always have a lower GUID.
Demonstration
To change the domain functional level or see what level your domain is currently at, open Active Directory users and Computers, right click the domain and select the option raise domain functional level.
In order to create a new PSO object, you need to run ADSI edit from administrative tools under the start menu. Once open, right click ADSI edit and select the "connect to" option to connect your domain.
Once connected, you need to expand through your domain to "CN=Password Settings Container" located under "CN=System". To create a new PSO, right click "CN=Password Settings Container" and select new object.
It is a simple matter to complete the questions in the wizard.
Questions that are in the new PSO wizard
Common-Name: This is a friendly name to identify the PSO.
Password Settings Precedence: Must be 1 or greater. When multiple PSO's are applied to the same user or group, the PSO with the lowest Password Settings Precedence value will be used.
Password reversible encryption status for user account: This indicates whether the password will be stored using a method so the password can be retrieved later on. Values for this are false or true.
Password History Length for user accounts: This indicates how many previous passwords Active Directory should remember and thus prevent the user from using. If the value is 0, no password history will be saved.
Password complexity status for user account: Indicates if a password needs to meet complex password requirements. This means it must have 3 out of 4 of the following. A-Z, a-z, 0-9 or non-alpha numeric. Values are true or false.
Minimum Password Length for user accounts: This value indicates how long the value of the password should be. Valid settings are 0 to 255.
Minimum Password Age for users accounts: This indicates how long the password will need to be used before it can be changed. To disable the settings use the value (none). Otherwise use the setting DD:HH:MM:SS. For example 1 day, 3hours, 5 minutes and 20 seconds would be 1:03:05:20
Description to long for YouTube.
Please see see http://itfreetraining.com/70-640/fine... for the rest of the description.
See http://YouTube.com/ITFreeTraining or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.
References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 395-402
"Create a PSO" http://technet.microsoft.com/en-us/li...
"Creating And Managing Shadow Groups" http://dx21.com/ezine/p2p/article.asp...
MCITP 70-640: Fine Grained Password Policy mcsa sql server 2016 | |
| 149 Likes | 149 Dislikes |
| 31,086 views views | 148K followers |
| Education | Upload TimePublished on 7 Apr 2013 |
No comments:
Post a Comment