Configure accurate password policies and account lockout policies in Windows Server 2008

In the Active Directory domain of Windows 2000 and Windows 2003, we can only apply a password policy and account lockout policy for all users in the Default Domain Policy, if we need to create different passwords and accounts for some special users. Locking the policy, we can only use the method of creating a new domain, because the previous domain can only use one password and account lockout policy.

Windows Server 2008 ADDS has a new feature called Precision Password Policy that allows you to define multiple password policies in a domain and apply it to users or global security groups. Note that Not used in the OU, in order to use this function, we need to use the ADSIEdit editor to create Password Settings objects (PSOs) for the domain, the following describes the specific operation:

First open the ADSIEdit editor in 08DC, Locate the location as shown below:

In the "CN=Password Settings Container” node right click to select New, select the “msDS-PasswordSettings” category in the pop-up window, as shown below:

Enter a name for the new Password Settings objects in the next window, as shown below:

Set a value for the msDS-PasswordSettingsPrecedence property in the pop-up window, which is the priority setting if the domain There are multiple password policies directly linked to the user, and the policy with the lowest priority value will be applied, as shown in the following figure:

In the pop-up window, msDS-PasswordReversibleEncryptionEnabled Set a Boolean value, you can set FALSE /TRUE, the attribute corresponds to "Save password with reversible encryption" in the group policy, set, after setting FALSE, click "Next" & rdquo;, as shown below Show:

In the pop-up window, set a value for the msDS-PasswordHistoryLength attribute, which corresponds to the “Force Password History” setting in Group Policy. The available value ranges from 0 to 1024. Click "Next", as shown below:

In the pop-up window, set a Boolean value for the msDS-PasswordComplexityEnabled property, you can set FALSE /TRUE, the attribute corresponds in the group policy "Password must Meet the complexity requirements & rdquo; settings, set to enable here, click “ next & rdquo;, as shown below:

In the pop-up window set a value for the msDS-MinimumPasswordLength property, the range of available values For the 0-255, the attribute corresponds to the “Password Length Minimum” setting in the group policy. Click in the input box and click “Next”, as shown below:

pop up Set a value for the msDS-MinimumPasswordAge attribute in the port. The attribute corresponds to the minimum password usage period in the group policy. The time format is “00:00:00:00”, set to 1 day, 1: 00:00:00, after setting, click “Next”, as shown below:

In the pop-up window, set a value for the msDS-MaximumPasswordAge attribute, which corresponds to the group policy. The maximum password usage period is rdquo; the time format is the same as above. After setting, click “Next”, as shown below:

Set a value for the msDS-LockoutThreshold property in the pop-up window. In Group Policy, the corresponding account lock threshold is set to 0-65535. After setting, click “Next”, as shown below:

In the pop-up window, msDS-LockoutObservationWindow The attribute sets a time value in the same format as the time format set previously. This attribute corresponds to the “Reset account lock counter” setting in the group policy. Set it to 30 minutes here, click ““Next” after setting. As shown in the following figure:

In the pop-up window, set a time value for the msDS-LockoutDuration attribute, the format is the same as above, the attribute corresponds to the “Account Lock Time” setting in the group policy, click “Set” and “ld”. Next, ”, as shown below:

Click "Delete" in the completion window, as shown below:

At this point, a custom password and account lockout strategy Already created, how to apply it on some accounts? We also need to do the following simple steps...

In the ADSIEdit returned after the above operation, double-click the created Password Settings objects object, and find the msDS-PSOAppliesTo attribute in the pop-up property editing window. Click "Edit", as shown below:

In the pop-up window, select the target object to which this Password Settings objects are applied. Select the test global security group that has been created in advance, and select the completed single. Click "OK", as shown below:

To this step, the policy has been applied to the selected group above, as long as it belongs to the members of the test group, the password created above will be applied. And the account lockout strategy, below to test the results, open ADUC, first test a user who does not belong to the test group, right click on the user1 account, select reset password, enter 123 and click OK, as shown below: