Active Directory 2008 : Configuring Password and Lockout Policies (part 2) – Fine-Grained Password and Lockout Policy

August 28, 2013

4. Fine-Grained Password and Lockout Policy

You can also override the domain password and lockout policy by using a feature introduced in Windows Server 2008 called fine-grained password and lockout policy, often shortened to simply fine-grained password policy. Fine-grained password policy enables you to configure a policy that applies to one or more groups or users in your domain.

Figure 3. Password-related properties of a user account

Fine-grained password policy is a highly anticipated addition to Active Directory. There are several scenarios for which fine-grained password policy can be used to increase the security of your domain. Accounts used by administrators are delegated privileges to modify objects in Active Directory; therefore, if an intruder compromises an administrator’s account, more damage can be done to the domain than could be done with the account of a standard user. For that reason, you should consider implementing stricter password requirements for administrative accounts. For example, you might require greater password length and more frequent password changes.

To use fine-grained password policy, your domain must be at the Windows Server 2008 domain functional level or higher, which means that all of your domain controllers in the domain are running Windows Server 2008 or later and the domain functional level has been raised to Windows Server 2008 or higher.

To confirm and modify the domain functional level:

  1. Open Active Directory Domains And Trusts.
  2. In the console tree, expand Active Directory Domains And Trusts, and then expand the tree until you can see the domain.
  3. Right-click the domain and choose Raise Domain Functional Level.

Other account types that require special treatment in a domain are those used by services and Internet Information Services (IIS) application pools. A service performs its tasks with credentials that must be authenticated with a user name and password just like those of a human user. However, most services are not capable of changing their own password, so administrators configure service accounts with the Password Never Expires option enabled. When an account’s password will not be changed, you should make sure the password is difficult to compromise. You can use fine-grained password policies to specify an extremely long minimum password length and no password expiration. Better yet, you can use a new feature of Windows Server 2008 R2—managed service accounts—for which passwords are automatically changed.

5. Understanding Password Settings Objects

The settings managed by fine-grained password policy are identical to those in the Password Policy and Accounts Policy nodes of a GPO. However, fine-grained password policies are not implemented as part of Group Policy, nor are they applied as part of a GPO. Instead, a separate class of object in Active Directory maintains the settings for fine-grained password policy: the password settings object (PSO).

6. PSO Precedence and Resultant PSO

A PSO can be linked to more than one group or user, an individual group or user can have more than one PSO linked to it, and a user can belong to multiple groups. So which fine-grained password and lockout policy settings apply to a user? One and only one PSO determines the password and lockout settings for a user—this PSO is called the resultant PSO. Each PSO has an attribute that determines the precedence of the PSO. The precedence value is any number greater than 0, where the number 1 indicates the highest precedence. If multiple PSOs apply to a user, the PSO with the highest precedence (closest to 1) takes effect. Active Directory exposes the resultant PSO in a user object attribute, msDS-ResultantPSO, so you can readily identify the PSO that will affect a user. PSOs contain all password and lockout settings, so there is no inheritance or merging of settings. The resultant PSO is the authoritative PSO. The rules that determine precedence, and thus the resultant PSO, are as follows:

  • If multiple PSOs apply to groups to which the user belongs, the PSO with the highest precedence wins.
  • If one or more PSOs are linked directly to the user, PSOs linked to groups are ignored, regardless of their precedence. The user-linked PSO with highest precedence wins.
  • If one or more PSOs have the same precedence value, Active Directory must make a choice. It picks the PSO with the lowest globally unique identifier (GUID). GUIDs are like serial numbers for Active Directory objects—no two objects have the same GUID. GUIDs have no particular meaning—they are just identifiers—so picking the PSO with the lowest GUID is, in effect, an arbitrary decision. You should configure PSOs with unique, specific precedence values so that you avoid this scenario.

To view the msDS-ResultantPSO attribute of a user:

  1. Ensure that Advanced Features is enabled on the View menu.
  2. Open the properties of the user account.
  3. On the Attribute Editor tab, click Filter and ensure that Constructed is selected.The attribute you locate in the next step is a constructed attribute, meaning that the resultant PSO is not a hard-coded attribute of a user; rather, it is calculated by examining the PSOs linked to a user in real time.
  4. Locate the msDS-ResultantPSO attribute.

7. PSOs and OUs

PSOs can be linked to global security groups or users. PSOs cannot be linked to organizational units (OUs). If you want to apply password and lockout policies to users in an OU, you must create a global security group that includes all of the users in the OU. This type of group is called a shadow group—its membership shadows, or mimics, the membership of an OU.

Shadow groups are conceptual, not technical objects. You simply create a group and add the users that belong to the OU. If you change the membership of the OU, you must also change the membership of the group.

Practice Configuring Password and Lockout Policies

Practice Configuring Password and Lockout Policies

In this practice, you use Group Policy to configure the domain-wide password and lockout policies for contoso.com. You then secure administrative accounts by configuring more restrictive, fine-grained password and lockout policies.

EXERCISE 1 Configure the Domain’s Password and Lockout Policies

In this exercise, you modify the Default Domain Policy GPO to implement a password and lockout policy for users in the contoso.com domain.

  1. Log on to SERVER01 as Administrator.
  2. Open Group Policy Management from the Administrative Tools program group.
  3. Expand Forest, Domains, and contoso.com.
  4. Right-click Default Domain Policy underneath the contoso.com domain and choose Edit.
  5. You might be prompted with a reminder that you are changing the settings of a GPO. If so, click OK.The Group Policy Management Editor appears.
  6. Expand Computer Configuration, Policies, Windows Settings, Security Settings, and Account Policies, and then click Password Policy.
  7. Double-click the following policy settings in the console details pane and configure the settings indicated:
    • Maximum Password Age: 90 Days
    • Minimum Password Length: 10 characters
  8. Select Account Lockout Policy in the console tree.
  9. Double-click the Account Lockout Threshold policy setting and configure it for 5 Invalid Logon Attempts. Then click OK.
  10. In the Suggested Value Changes dialog box, click OK.The values for Account Lockout Duration and Reset Account Lockout Counter After are automatically set to 30 minutes.
  11. Close the Group Policy Management Editor window.

EXERCISE 2 Create a Password Settings Object

In this exercise, you create a PSO that applies a restrictive, fine-grained password policy to users in the Domain Admins group.

Before you proceed with this exercise, open Active Directory Users And Computers and confirm that the Domain Admins group is in the Users container. If it is not, move it to the Users container.

  1. Open ADSI Edit from the Administrative Tools program group.
  2. Right-click ADSI Edit and choose Connect To.
  3. In the Name box, type contoso.com. Click OK.
  4. Click and then expand contoso.com, and then click DC=contoso,DC=com.
  5. Expand DC=contoso,DC=com and click CN=System.
  6. Expand CN=System and click CN=Password Settings Container.All PSOs are created and stored in the Password Settings Container (PSC).
  7. Right-click the PSC, point to New, and then choose Object.The Create Object dialog box prompts you to select the type of object to create. There is only one choice: msDS-PasswordSettings—the technical name for the object class referred to as a PSO.
  8. Click Next.You are prompted for the value for each attribute of a PSO. The attributes are similar to those found in the GPO you examined in Exercise 1.
  9. Configure each attribute as indicated in the following list. Click Next after each attribute.
    • cn: My Domain Admins PSO. This is the friendly name of the PSO.
    • msDS-PasswordSettingsPrecedence: 1. This PSO has the highest possible precedence because its value is the closest to 1.
    • msDS-PasswordReversibleEncryptionEnabled: False. The password is not stored using reversible encryption.
    • msDS-PasswordHistoryLength: 30. The user cannot reuse any of the last 30 passwords.
    • msDS-PasswordComplexityEnabled: True. Password complexity rules are enforced.
    • msDS-MinimumPasswordLength: 15. Passwords must be at least 15 characters long.
    • msDS-MinimumPasswordAge: 1:00:00:00. A user cannot change his or her password within one day of a previous change. The format is d:hh:mm:ss (days, hours, minutes, seconds).
    • MaximumPasswordAge: 45:00:00:00. The password must be changed every 45 days.
    • msDS-LockoutThreshold: 5. Five invalid logons within the time frame specified by msDS-LockoutObservationWindow (the next attribute) will result in account lockout.
    • msDS-LockoutObservationWindow: 0:01:00:00. A given number of invalid logons (specified by the previous attribute) within one hour will result in account lockout.
    • msDS-LockoutDuration: 1:00:00:00. An account, if locked out, will remain locked for one day or until it is unlocked manually. A value of zero will result in the account remaining locked out until an administrator unlocks it.

    The attributes listed are required. After clicking Next on the msDS-LockoutDuration attribute page, you can configure optional attributes.

  10. Click More Attributes.
  11. In the Select A Property To View list, select msDS-PSOAppliesTo.
  12. In the Edit Attributes box, type the following:CN=Domain Admins,CN=Users,DC=contoso,DC=com
  13. Click Add, click OK, and then click Finish.

EXERCISE 3 Identify the Resultant PSO for a User

In this exercise, you identify the PSO that controls the password and lockout policies for an individual user.

  1. Open the Active Directory Users And Computers snap-in.
  2. Click the View menu and make sure that Advanced Features is selected.
  3. Expand the contoso.com domain and click the Users container in the console tree.
  4. Right-click the Administrator account and choose Properties.
  5. On the Attribute Editor tab, click Filter and make sure that Constructed is selected.The attribute you will locate in the next step is a constructed attribute, meaning that the resultant PSO is not a hard-coded attribute of a user; rather, it is calculated by examining the PSOs linked to a user in real time.
  6. In the Attributes list, locate msDS-ResultantPSO.
  7. Identify the PSO that affects the user.

The My Domain Admins PSO that you created in Exercise 2, “Create a Password Settings Object,” is the resultant PSO for the Administrator account.

EXERCISE 4 Delete a PSO

In this exercise, you delete the PSO you created in Exercise 2 so that its settings do not affect you in later exercises.

  1. Repeat steps 1–6 of Exercise 2 to select the Password Settings Container in ADSI Edit.
  2. In the console details pane, select CN=My Domain Admins PSO.
  3. Press Delete.
  4. Click Yes.

Active Directory 2008 : Configuring Password and Lockout Policies (part 1) – Understanding Password Policies , Understanding Account Lockout Policies