Creating and Maintaining Active Directory Objects - finegrain password policies
Configure Account Policies
Fine-grain Password Policies
Prior to Windows Server 2008, an Active Directory administrator was only able to configure a single Password Policy and Account Lockout Policy for any Active Directory domain. If you were faced with a subset of users whose password policy requirements were different, you were left with the choice of configuring a separate domain or forcing all users within the domain to conform to a single password policy. Beginning in Windows Server 2008, you can configure Fine-Grained Password Policies, which allow you to define multiple password policies within a single domain.
To enable Fine-Grained Password Policies, Windows Server 2008 introduces a new object type called msds-PasswordSettings, also called a Password Settings Object (PSO). Each PSO has the following mandatory attributes:
- en. The common name for the PSO, such as "ServiceAccountNoLockout."
- msDS-PasswordSettingsPrecedence. In a case where multiple PSOs apply, this attribute of the PSO is used as a tie-breaker to determine which PSO should apply: a PSO with a precedence of 1 will be applied over a PSO with a precedence of 5, a PSO with a precedence of 10 will be applied over a PSO with a precedence of 100, and so on.
- msDS-PasswordReversibleEncryptionEnabled. This attribute indicates whether the PSO allows passwords to be stored in Active Directory using reversible encryption. This setting should only be enabled if a particular application requires it, because it presents a significant security risk.
- msDS-PasswordHistoryLength. This attribute indicates the number of passwords that Active Directory should retain in memory before allowing someone to reuse a previously used password. Setting this attribute to a value of "2," for example, would prevent someone from reusing the previous two passwords that they had configured for their user account. This setting corresponds to the Enforce Password History setting in Group Policy.
- msDS-PasswordComplexityEnabled. This attribute indicates whether the PSO requires a complex password; that is, a password that uses a mixture of uppercase and lowercase letters, numbers, and symbols. The default password policy in Windows Server 2008 requires the use of complex passwords.
- msDS-MinimumPasswordLength. This attribute indicates the minimum length of a password defined by this PSO.
- msDS-MinimumPasswordAge. This attribute is a negative number that indicates the number of milliseconds old a password must be before it can be changed. The default value is -864000000000, which equates to one day.
- msDS-MaximumPasswordLength. As the name indicates, this attribute identifies the maximum length of a password defined by this PSO.
- msDS-MaximumPasswordAge. This attribute is a negative number that indicates in milliseconds when a password will expire. The default value is -36288000000000, or 42 days.
- msDS-LockoutThreshold. This attribute indicates the number of bad login attempts permitted before an account is locked out.
- msDS-LockoutObservationWindow. This attribute is a negative number that indicates the number of milliseconds that must pass before the counter for failed logon attempts should be reset.
- msDS-LockoutDuration. This attribute is a negative number expressed in milliseconds that indicates how long an account will remain locked out. A value of "0" indicates that the account will stay locked out until it is manually unlocked by an administrator