In previous Windows Server versions, single password policies could only be applied to all users in a domain. In Windows Server 2008, fine-grained password policies can be used to define security settings for user accounts according to the priority of the policies. Active Directory Domain Services (AD DS) has two new object classes, Password Settings Objects (PSOs) and Password Settings Containers (PSCs), that store fine-grained policies. To configure fine grained password policies in AD, you need: Active Directory Users & Computers console and Active Directory Services Interface Editor (ADSI Edit) tool. This article shows how to create a Password Setting Object (containing fine-grained password policies) within a domain.
Navigate to Start – Run. Type ‘adsiedit.msc‘ in the text box and click OK.
The ADSI Edit Tool opens. Select Action – Connect to from the drop down menu.
The Connection Settings dialog box displays. Click OK to apply the default connection settings options to connect to the relevant domain.
Expand the domains \CN=System\CN=Password Settings Container.
Note: All PSO objects are stored here for the domain
To create a new PSO and configure the fine-grained password policy, select Action – New – Object.
The ADSI Edit Create Object Wizard opens. The first page requests that you select a class. The only one displayed is msDS-PasswordSettings. Click Next.
For the Common-Name page, enter your preferred policy name. For our example, we choose PasswordPolicyAdmins. Click Next to continue.
On the Password Settings Precedence page, you need to define a value for each precedence attribute according to your requirements. This value is used to resolve conflicts if multiple PSOs are applied to a user or group object. The PSO with the lowest precedence will be applied. A low value is used to define a stronger password policy. For our example, enter 10 in the Value text box and click Next to continue.
On the Password reversible encryption status for user accounts page, you can define a value to store password with reversible encryption. This value can either be True or False. In our example we enter False. Click Next.
Note: False means that you do not want to store the password with reversible encryption.
On the Password History Length for user accounts page, define the amount of previously passwords the system should remember. For our case, we choose 15.
Note: The password history length can only be between 0-24.
For the Password Complexity status for user accounts page, you can either enter True or False. For our case, we type in True to force users to use more complicated passwords. Click Next to continue.
For the Minimum Password Length for user accounts page, you can set a value between 1-14. For our example, we enter in 7.
Note: If you prefer to have no password, enter in ‘0’.
On the Minimum Password Age page, the value can be from 1 to 998. If you want the password to updated at anytime, enter in ‘0’. For our example, we choose 15. Click Next.
Note: When specifying time values, it should be written as [Days]:[Hours]:[Minutes]:[Seconds].
On the Maximum Password Age page, you define how old the user password can be before it must be changed. For our example, we type in 42. Click Next.
Note: If you never want the user to change their password, type ‘-9223372036854775808’.
On the Lockout Threshold page, you can specify the number of desired failed logon attempts until a user is locked out of their account. We choose to set the number of desired failed logon attempts to 5.
On the Observation window for lockout page, you can specify how long before the counter for failed user logon attempts should be reset. For our example, we enter in 30 minutes in the following format: 0:00:30:00.
The Lockout duration for locked out accounts page, should be the same as the previous page (30 minutes) to avoid conflict. Click Next.
Select Finish to create the configured PSO object.
The new PSO object now displays in the details pane of the ADSI Edit tool.