Information Technology Reference
In-Depth Information
Activity 7-17: Creating a Fine-Grained Password Policy
Time Required:
20 minutes
Objective:
Create a fine-grained password policy linked to a group.
Description:
You have a group of users in the Sales Department who would benefit from a less
stringent password policy than what's defined for the domain. You have discovered that
Windows Server 2008 has fine-grained password policies that can be applied to a user or group.
You create a policy and link it to the group.
1. Log on to your server as Administrator, if necessary.
2. Click
Start
, point to
Administrative Tools
, and click
ADSI Edit
.
3. In the left pane, right-click
ADSI Edit
and click
Connect to
. In the Connection Settings dialog box,
type
w2k8adXX.com
in the Name text box, and then click
OK
. This step is necessary because
you're using ADSI Edit for the first time; it won't be necessary the next time you use ADSI Edit.
4. Double-click the domain node. Double-click
DC=w2k8adXX, DC=com
and then
CN=System
.
Right-click
CN=Password Settings Container
, point to
New
, and click
Object
. Click
msDS-
PasswordSettings
in the Select a class list box, if necessary. This object class creates a PSO. Click
Next
.
5. In the Value text box for the cn attribute, type
Sales-PSO
, the name of the PSO, and then
click
Next
.
6. In the Value text box for the msDS-PasswordSettingsPrecedence attribute, type
5
. This
attribute is used for PSO precedence; if more than one PSO is linked to the same user, the
lowest value takes precedence. Click
Next
.
7. Continue entering values for attributes as shown in the following list, clicking
Next
after
each one:
• msDS-PasswordReversibleEncryptionEnabled:
FALSE
• msDS-PasswordHistoryLength:
0
• msDS-PasswordComplexityEnabled:
FALSE
• msDS-MinimumPasswordLength:
4
• msDS-MinimumPasswordAge:
(None)
• msDS-MaximumPasswordAge:
(Never)
• msDS-LockoutThreshold:
0
• msDS-LockoutObservationWindow:
(None)
• msDS-LockoutDuration:
(None)
8. Click
Finish
. Close ADSI Edit and open Active Directory Users and Computers.
9. Navigate to
System
,
Password Settings Container
. Right-click
Sales-PSO
and click
Properties
. Click the
Attribute Editor
tab.
10. Double-click the
msDS-PSOAppliesTo
attribute. Click
Add Windows Account
. Type
Sales-G
,
click
Check Names
, and then click
OK
three times.
11. In Active Directory Users and Computers, navigate to and expand the
Marketing
OU and
then click the
Advertising
OU. Right-click
Advertising User3
and click
Reset Password
. Type
pass1
in the New password and Confirm password text boxes, and then click
OK
. Windows
doesn't allow that password because it doesn't meet length or complexity requirements.
Advertising User3 is subject to the password policy defined in the Default Domain Policy
(minimum length of 7 characters and must meet complexity requirements). Click
OK
.
12. Click the
Sales
OU. Right-click
Sales Person3
and click
Reset Password
. Type
pass1
in the
New password and Confirm password text boxes, and then click
OK
. The password change
is successful because Sales Person3 is now subject to the new PSO you created and linked to
the global group Sales-G. Click
OK
.
13. Close all open windows, and stay logged on for the next activity.
Search WWH ::
Custom Search