Implementing Multiple Password Policies per Domain

Another Windows Server 2008 addition to AD DS is the ability to implement granular password policies across a single domain. Previously, this was only an option with thirdparty password change utilities installed on the domain controllers in a forest. With Windows Server 2008 or Windows Server 2008 R2, administrators can define which users have more complex password policies, and which will be able to use more lenient policies.

There are a few key points to this technology that must be understood before implementing it. These points are listed as follows:

. Domain mode must be set to Windows Server 2008 or Windows Server 2008 R2 level, which means that all DCs in the domain must be running Windows Server 2008 R2 or RTM.

. Fine-grained password policies always win over a domain password policy.

. Password policies can be applied to groups, but they must be global security groups.

. Fine-grained password policies applied to a user always win over settings applied to a group.

. The Password Settings Objects (PSOs) are stored in the Password Settings Container in AD (that is, CN=Password Settings Container,CN=System,DC=companyabc,DC=com).

. Only one set of password policies can apply to a user. If multiple password policies
are applied, the policy with the lower number precedence wins.

To create a custom password policy for a specific user, a Password Settings Object (PSO) must be created using the ADSIEdit tool, which is used for low-level changes to AD DS or AD LDS directory objects and attributes.

The version of ADSIEdit included with Windows Server 2008 RTM/R2 provides for a crude wizard that allows for PSOs to be created. The wizard automates the creation of a PSO, and allows for specific attributes to be set on the PSO that are related to password policies. All attributes in this table must be entered in the proper format for a PSO to be created. Note that only the final attribute in this list msDS-PSOAppliesTo is not prompted by the wizard, and must be entered in manually.

To create a new PSO, open ADSIEdit from the Administrative Tools menu and point it to the fully qualified domain name (FQDN) of the domain where the PSO will be created.
After ADSIEdit has been invoked, perform the following steps to create a PSO:

1. Under the container for the domain, navigate to CN=System, CN=Password Settings Container.

2. Right-click on the CN=Password Settings Container, and choose New, Object.

3. Select msDS-PasswordSettings, and click Next to continue.

4. From the Create Object dialog box, enter in the attributes.

5. When on the final screen of the wizard, click the More Attributes button.

6. Click the Select a Property to View drop-down list arrow, and then select msDSPSOAppliesTo.

7. In the Edit Attribute field, enter the DN of the group or user to which the PSO will apply. Be sure to click the Add button, or the setting will not be applied. The value should be displayed.

8. Click OK and then click Finish.

After creation, the PSO policy will appear in the details pane. Any of the attributes can be subsequently modified using ADSIEdit by rightclicking the individual PSO and choosing Properties. This includes changing the scope of which users the policy applies to.

Source of Information : Sams - Windows Server 2008 R2 Unleashed