Deploying Fine Grained Password Policies (PSOs)
In this lecture, I am going to be showing you how to create a PSO or Password Settings Object. The purpose is to allow you to set a password policy on a per-user or per security user group basis.Open Server Manager > Tools > Active Directory Users and Computers. Expand instructorpaul.com domain and instructorpaul OU. Right-click on Domain Groups and choose New > Group from the context menu.
We are naming this group to something that gives us an indication that is related to a password policy setting. We are naming it 7 Day Password Age for our exercise. It is a Global Group and a Security Group. Click OK to create it.
Double click the group we just created and add the user paul.hill as a member.
Click the Members tab and click the Add button.
Search for paul.hill and click the Check Names button to resolve the name and click OK.
Click the Apply and OK buttons.
Essentially what we have done is create a new group and add a user to it. The Security Group has a name that’s useful for letting us know that the password age is only 7 days, but it really doesn’t do anything to that effect.
So the way we create a PSO is NOT inside Active Directory and is NOT inside Group Policy. The way you do this is with the ADSI Edit.Open Server Manager > Tools > ADSI Edit. Under ADSI Edit right-click ADSI Edit and choose Connect to...
Under the Connections Settings window leave all the options as default and click on OK.
Click to expand Default naming context > DC=instructorpaul,DC=com > CN=System
Under System, we are looking for CN=Password Settings Container. Right-click on the right empty pane and choose from the context menu New > Object…
A Create Object window will pop up. The only class that we have is a MsDS-PasswordSettings that is selected. This is the PSO Object we are looking for. Click Next to continue.
Now we need to create a name for the PSO. Type 7DayPasswordAge in the value section and click on the Next button.
For the Password Precedence Settings value type the number 1. Click Next to continue.
TIP: The PSO with the lowest number value, the one closest to 1, will take precedence over other PSOs.
Just like with the Group Policy Objects we see if we want to use Reversible Encryption and we will type the word FALSE in uppercase and click Next.
For Password History, we type the number 24 and click Next.
For Password Complexity, we are going to type TRUE in uppercase and click Next.
In the Minimum Password Length for user accounts, we type 14 and click Next.
Now we have the Minimum Password Age for user accounts we type 00:00:00:00. This is the format that represents seconds, minutes, hours, and days. Click Next.
In the Maximum Password Age for user accounts, we type 07:00:00:00. That represents 7 days. Click Next to continue.
The Lockout threshold for lockout of user accounts represents how many times a user can type in a bad password before their account gets locked out. Type 3 and click Next.
The Observation Window for lockout of user accounts is going to be 15 minutes. We are typing it in the format 00:00:15:00 and click Next.
In the Lockout duration for locked-out user accounts, we type it in the format 00:00:15:00 and we click Next.
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.