Windows Server : Designing Enterprise-Level Group Policy Strategy (part 4) - Implementing Fine-Grained Password Policies

4. Practice: Implementing Fine-Grained Password Policies

To complete this practice, the domain functional level of the contoso.internal domain must be set to Windows Server 2008. If you are unsure how to do this, consult the Windows Server 2008 Help files.

▸ Exercise Create a PSO

In this exercise, you will create a PSO with password policies that are not the same as the default password policies for the contoso.internal domain. You associate this with a global security group called special_password that contains the user Don_Hall. Do not attempt this practice until you have raised the domain functional level of the contoso.internal domain to Windows Server 2008. If you created a PSO while studying the 70-646 training kit, create another one but change some of the settings.

1.	Log on to the Glasgow DC with the Kim_Akers account.
2.	If necessary, create a user account for Don_Hall with a password of P@ssw0rd. Create a global security group called special_password. Make Don_Hall a member of special_password. If you are unsure how to do this, consult the Windows Server 2008 Help files.
3.	In the Run box, type adsiedit.msc.
4.	If this is the first time you have used the ADSI Edit console on your test network, right-click ADSI Edit, and then choose Connect To. Type contoso.internal in the Name box, and then click OK.
5.	Double-click contoso.internal.
6.	Double-click DC=contoso,DC=internal.
7.	Double-click CN=System.
8.	Right-click CN=Password Settings Container. Choose New. Choose Object, as shown in Figure 10. Figure 10. Creating a password settings object
9.	In the Create Object dialog box, ensure that msDS-PasswordSettings is selected. Click Next.
10.	In the Value box for the CN attribute, type PasswdSettings01. Click Next.
11.	In the Value box for the msDS-PasswordSettingsPrecedence attribute, type 10. Click Next.
12.	In the Value box for the msDS-PasswordReversibleEncryptionEnabled attribute, type FALSE. Click Next.
13.	In the Value box for the msDS-PasswordHistoryLength attribute, type 6. Click Next.
14.	In the Value box for the msDS-PasswordComplexityEnabled attribute, type TRUE. Click Next.
15.	In the Value box for the msDS-MinimumPasswordLength attribute, type 6. Click Next.
16.	In the Value box for the msDS-MinimumPasswordAge attribute, type 1:00:00:00. Click Next.
17.	In the Value box for the msDS-MaximumPasswordAge attribute, type 20:00:00:00. Click Next.
18.	In the Value box for the msDS-LockoutThreshold attribute, type 2. Click Next.
19.	In the Value box for the msDS-LockoutObservationWindow attribute, type 0:00:15:00. Click Next.
20.	In the Value box for the msDS-LockoutDuration attribute, type 0:00:15:00. Click Next.
21.	Click Finish.
22.	Open Active Directory Users And Computers, choose View, and then choose Advanced Features.
23.	Expand contoso.internal, expand System, and then select Password Settings Container.
24.	In the details pane, right-click PSO1. Choose Properties.
25.	On the Attribute Editor tab, select msDS-PSOAppliesTo, as shown in Figure 11. Figure 11. Selecting an attribute to edit
26.	Click Edit.
27.	Click Add Windows Account.
28.	Type special_password in the Enter The Object Names To Select box. Click Check Names.
29.	Click OK. The Multi-Valued Distinguished Name With Security Principal Editor dialog box should look similar to Figure 12. Figure 12. Adding the special_password global security group to PSO1
30.	Click OK, and then click OK again to close the PSO1 Properties dialog box.
31.	Test your settings by changing the password for the Don_Hall account to a noncomplex, six-letter password such as simple.