Information Technology Reference
In-Depth Information
3. Click to expand
Computer Configuration
,
Policies
,
Windows Settings
,
Security Settings
,
and
Local Policies
, and then click
User Rights Assignment
. Browse the list of policies and
double-click any that look interesting or that aren't self-explanatory. Click the
Explain
tab and read the detailed description. Suggested policies to view in detail include Add
workstations to domain, Back up files and directories, Bypass traverse checking, Deny
log on locally, Load and unload device drivers, and Take ownership of files or other
objects.
4. Browse the
Security Options
node in a similar manner. Suggested policies to view in detail
include Accounts: Administrator account status, Accounts: Rename administrator account,
Accounts: Limit local account use of blank passwords to console logon only, Audit: Force
audit policy subcategory settings, Devices: Prevent users from installing printer drivers,
Interactive logon: Do not display last user name, Interactive logon: Message text for users
attempting to log on, Interactive logon: Prompt user to change password before expiration,
Network access: Shares that can be accessed anonymously, Network security: Force logoff
when logon hours expire, Shutdown: Clear virtual memory pagefile, User Account Control:
Behavior of the elevation prompt for standard users, and User Account Control: Run all
administrators in Admin Approval Mode.
5. Close all open windows, and stay logged on for the next activity.
7
Fine-Grained Password Policies
Account policies set with Group Policy apply to
all users in the domain, and GPOs containing account policy settings are useful only when
linked to the domain. This lack of flexibility in account policies, particularly password poli-
cies, has always been considered a weakness of Group Policy. Windows Server 2008 pro-
vides a solution called
fine-grained password policies
, although this method takes more
effort than simply using the Group Policy Management Editor. Fine-grained password poli-
cies can be defined only on Windows Server 2008 domain controllers, and the domain func-
tional level must be Windows Server 2008. These policies can define all the settings in the
Password Policy and Account Lockout Policy nodes but do not include settings for the
Kerberos Policy node.
Fine-grained password policies are created by defining a Password Settings Object (PSO) in
the Password Settings Container (PSC). In Active Directory Users and Computers, the PSC is in
the System folder and contains no PSOs by default. After the PSO is defined with the appropri-
ate settings, it can be linked to one or more users or global groups in the same domain as the
PSO. (PSOs can't be linked to OUs.) Two tools are available to create a PSO: ADSI Edit and
LDIFDE. This section discusses using ADSI Edit. The general steps for creating a fine-grained
password policy with ADSI Edit are as follows:
1. Open ADSI Edit.
2. Create a new object of type msDS-PasswordSettings in the PSC.
3. Fill in all the required values for your new PSO.
4. Link the PSO to users and/or global groups.
Before Windows Server 2008 and the capability to create fine-grained password policies, the
only way an organization could impose more stringent (or less stringent) password policies on
certain users in a domain was to create another domain and move the users there. With fine-
grained password policies, an administrator can create baseline password and account lockout
policies for the domain, and then create one or more PSOs for groups of users who should have
different policies. For example, you might have three categories of users in an organization: the
typical user who requires a moderately strong password policy, the part-time user who has little
access to the network and needs a less stringent policy, and the secure user who has access to
sensitive data and needs a very strong policy. The typical user's policy can come from group poli-
cies, and the other two user categories can have PSOs defined and linked to global groups con-
taining these users as members.
Search WWH ::
Custom Search