1 300 737 205

How to create a Password Setting Object (PSO) within a Domain

In previous Windows Server versions, single password policies could only be applied to all users in a domain. In Windows Server 2008, fine-grained password policies can be used to define security settings for user accounts according to the priority of the policies. Active Directory Domain Services (AD DS) has two new object classes, Password Settings Objects (PSOs) and Password Settings Containers (PSCs), that store fine-grained policies. To configure fine grained password policies in AD, you need: Active Directory Users & Computers console and Active Directory Services Interface Editor (ADSI Edit) tool. This article shows how to create a Password Setting Object (containing fine-grained password policies) within a domain.

Procedure

Navigate to Start – Run. Type ‘adsiedit.msc‘ in the text box and click OK.

Finegrainpolicies-run-Adsiedit

The ADSI Edit Tool opens. Select Action – Connect to from the drop down menu.

Finegrainpolicy-ADSIEdit-Connect-To

The Connection Settings dialog box displays. Click OK to apply the default connection settings options to connect to the relevant domain.

Finegrainpolicies-Connection-Settings-OK

Expand the domains \CN=System\CN=Password Settings Container.

Finegrainpolicy-ADSIEdit-Password-Settings-Container

Note: All PSO objects are stored here for the domain

To create a new PSO and configure the fine-grained password policy, select Action – New – Object.

Finegrainpolicy-ADSIEdit-Password-Settings-Container-New-Object

The ADSI Edit Create Object Wizard opens. The first page requests that you select a class. The only one displayed is msDS-PasswordSettings. Click Next.

Finegrainpolicies-ADSIEDIT-Create-Object

For the Common-Name page, enter your preferred policy name. For our example, we choose PasswordPolicyAdmins. Click Next to continue.

Finegrainpolicies-ADSIEDIT-Create-Object-Common-Name

On the Password Settings Precedence page, you need to define a value for each precedence attribute according to your requirements. This value is used to resolve conflicts if multiple PSOs are applied to a user or group object. The PSO with the lowest precedence will be applied. A low value is used to define a stronger password policy. For our example, enter 10 in the Value text box and click Next to continue.

Finegrainpolicies-ADSIEDIT-Create-Object-Pass-Settings-Precedence

On the Password reversible encryption status for user accounts page, you can define a value to store password with reversible encryption. This value can either be True or False. In our example we enter False. Click Next.

finegrainpolicies-ADSIEdit-Create-Obj-Password-reversible-encrypt

Note: False means that you do not want to store the password with reversible encryption.

On the Password History Length for user accounts page, define the amount of previously passwords the system should remember. For our case, we choose 15.

Finegrainpolicies-ADSIEDIT-Create-Object-Passwrd-History-Length

Note: The password history length can only be between 0-24.

For  the Password Complexity status for user accounts page, you can either enter True or False. For our case, we type in True to force users to use more complicated passwords. Click Next to continue.

Finegrainpolicies-ADSIEDIT-Create-Object-Passwrd-Complexity

For the Minimum Password Length for user accounts page, you can set a value between 1-14. For our example, we enter in 7.

Finegrainpolicies-ADSIEDIT-Create-Object-Minimum-Passwrd-Length

Note: If you prefer to have no password, enter in ‘0’.

On the Minimum Password Age page, the value can be from 1 to 998. If you want the password to updated at anytime, enter in ‘0’. For our example, we choose 15. Click Next.

Finegrainpolicies-ADSIedit-minpasswordage

Note: When specifying time values, it should be written as [Days]:[Hours]:[Minutes]:[Seconds].

On the Maximum Password Age page, you define how old the user password can be before it must be changed. For our example, we type in 42. Click Next.

Finegrainpolicies-ADSIedit-maxpasswordage

Note: If you never want the user to change their password, type ‘-9223372036854775808’.

On the Lockout Threshold page, you can specify the number of desired failed logon attempts until a user is locked out of their account. We choose to set the number of desired failed logon attempts to 5.

Finegrainpolicies-ADSIedit-LockoutThreshold

On the Observation window for lockout page, you can specify how long before the counter for failed user logon attempts should be reset. For our example, we enter in 30 minutes in the following format: 0:00:30:00.

Finegrainpolicies-ADSIedit-LockoutObvsWindow

The Lockout duration for locked out accounts page, should be the same as the previous page (30 minutes) to avoid conflict. Click Next.

Finegrainpolicies-ADSIedit-LockoutDuration

Select Finish to create the configured PSO object.

Finegrainpolicies-ADSIEDIT-Create-Object-Finish

The new PSO object now displays in the details pane of the ADSI Edit tool.

Finegrainpolicies-ADSIEDIT-Create-PSO-Complete

 

 

Request Your Free Consultation Today

We’ll come to your place of business, and give you a full diagnostic snapshot of your IT systems.