MCITP 70-640: Fine Grained Password Policy
Вставка
- Опубліковано 20 лип 2024
- Check out / itfreetraining or itfreetraining.com for more of our always free training videos.
Active Directory allows multiple password policies to be created in the same domain. This is referred to as fine grained password policy. This video looks at how to use multiple passwords policies applying them to users and groups and how to use shadow groups to apply a password policy to an organizational unit.
PDF handout
ITFreeTraining.com/handouts/70...
Before Fine Grained Passwords
Previously, if an administrator wanted to have separate password policies they would need to create separate domains. For example, if they had a secure domain and they wanted the users in the secure domain to have a longer password, a separate domain would need to be created. This is no longer required as multiple password policies can be created and used in the same domain.
Fine-Grained Passwords
In order to use fine grained passwords, your domain needs to be Windows Server 2008 Domain Functional Level or higher. This essentially means that all Domain Controllers in your domain need to be Windows Server 2008 or higher and the domain functional level raised to at least Windows Server 2008. Additional password policies are applied to users or groups not OU's.
Password Settings Object (PSO)
A Password Settings Object or PSO contains all the same password settings that exist in the Default Domain Policy. In order to change settings and apply them to users and groups, you need to create a new PSO with the same settings as the Default Domain Policy except for the settings you want to change. You cannot choose to change a single setting, all settings must be configured.
When multiple PSO's are used
Each PSO object has a setting called Password Settings Precedence. This value determines which PSO will be used when multiple PSO objects are being applied. The PSO with the lowest value will be used with the lowest value being 1. If there are multiple PSO's with the same Password Settings Precedence value than the PSO with the lowest GUID will be used. Every object in Active Directory has a unique GUID which acts like a serial number for the object, thus one PSO will always have a lower GUID.
Demonstration
To change the domain functional level or see what level your domain is currently at, open Active Directory users and Computers, right click the domain and select the option raise domain functional level.
In order to create a new PSO object, you need to run ADSI edit from administrative tools under the start menu. Once open, right click ADSI edit and select the "connect to" option to connect your domain.
Once connected, you need to expand through your domain to "CN=Password Settings Container" located under "CN=System". To create a new PSO, right click "CN=Password Settings Container" and select new object.
It is a simple matter to complete the questions in the wizard.
Questions that are in the new PSO wizard
Common-Name: This is a friendly name to identify the PSO.
Password Settings Precedence: Must be 1 or greater. When multiple PSO's are applied to the same user or group, the PSO with the lowest Password Settings Precedence value will be used.
Password reversible encryption status for user account: This indicates whether the password will be stored using a method so the password can be retrieved later on. Values for this are false or true.
Password History Length for user accounts: This indicates how many previous passwords Active Directory should remember and thus prevent the user from using. If the value is 0, no password history will be saved.
Password complexity status for user account: Indicates if a password needs to meet complex password requirements. This means it must have 3 out of 4 of the following. A-Z, a-z, 0-9 or non-alpha numeric. Values are true or false.
Minimum Password Length for user accounts: This value indicates how long the value of the password should be. Valid settings are 0 to 255.
Minimum Password Age for users accounts: This indicates how long the password will need to be used before it can be changed. To disable the settings use the value (none). Otherwise use the setting DD:HH:MM:SS. For example 1 day, 3hours, 5 minutes and 20 seconds would be 1:03:05:20
Description to long for UA-cam.
Please see see itfreetraining.com/70-640/fine... for the rest of the description.
See / itfreetraining or itfreetraining.com for our always free training videos. This is only one video from the many free courses available on UA-cam.
References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 395-402
"Create a PSO" technet.microsoft.com/en-us/li...
"Creating And Managing Shadow Groups" dx21.com/ezine/p2p/article.asp...
ITFreeTraining, I cannot thank you enough for the quality of your videos. I am currently in the process of revising for the 70-646 exam, and have found your videos to be an excellent alternative resource to help with my revision. The content and class of delivery is so good, I've thought about leaving behind my original course software, just to solely concentrate on your videos. The fact that all of this content can be viewed for free, is simply fantastic. Please keep it like this. Thank you!
I love these videos.. am writing my 70-640 Exams in two weeks time. Thanks guys God bless you all..
Great video again - educational and to the point thank you.
It should be noted that these are far more professional than the training nuggets that are around, it is whiteboard and marker pens and doesnt look great - this is fantastic and I have already recommended to a number of IT colleagues.
Thanks very much. It is good to hear that you like are videos and find them useful.
Thanks very much. Glad to hear that you like the videos.
No problem at all. Thanks for watching.
Yes it will. As long as the user that you specify has enough access in Active Directory to make the chances it will work.
Good Video..Very Crisp and clear...It was a pleasure listening. Thanks a lot.
Excellent! Congratulations! Good Job! Thank you for sharing these videos
Thanks very much and thanks for the recommendation. That helps us a lot.
Great tutorials, Thanks for the effort.Hope you will continue sharing knowledge in future.Best wishes & many many thanks again
+Naresh Saklani You're welcome! Keep checking back for new videos
Thanks, glad we could help.
Great video. Clear explanations and thank you once again.
+Gadgetproblem Noproblem You're welcome. Thanks for watching.
Thanks very much. Good luck in the exam.
ive learnt alot from this video's, i really want to Thank you. your doing a gr8
Good Presentation, thanks for the effort
Thanks very much.
+itfreetraiining every videos you guys have posted are awesome ..the way you explain is very much understandable and creates a thorough knowledge.. Pls pls publish more videos on windows server2012..
+avik GHOSH Glad to hear you enjoy them! We are working on quite a few new videos so stay tuned!
Excellent vid, btw.
Silly question: is the shadowgroup creation bit necessary if I opt to set msDSPSOApplies to a 'Security Group - Universal'?
You don't need to shadow group, the shadow group is just one way of making sure it gets applied to the users you want. If you have a group that has the users you want in it, you can use that group.
Video was awesome on fine grand password policy. I just want to know how we can check password precedence of domain.
Password
I visited the shadowgroup vb script website but it says:"Page no longer available. Dx21.LLC We're sorry."
Hi, the best videos, but are these still valid for windows 2012R2
From some viewers remarks, a good bit of this information does transfer to the Windows 2012 R2.
Hello itfreetraining , i want just to mention that the video is very good and informative but a mistake have been said. When the user is created and added automatically to the shadow group, it will be removed from the group if the account user is deleted, running the script didn't made a change on the group members as the user account was already not existing anymore (and so removed from the group members). For a perfect demonstration, creating a new account and running the script would have proved that the script have correctly updated the shadow group members. Regards
Not sure what you mean, but we will do some more testing when we update the video and see if we can correct the problem.
itfreetraining I mean, if a AD object is deleted, it's removed to the groups where it was member of right ? so deleting the user would already update the group membership, rerunning the task here would in fact not affect the group members right ?
good point from Alexandre ... it's not a technical issue but adding an account would be a better demonstration of what the script does rather than deleting it.
I created a PSO object by following the video. msDSPSO-Applies to is the "Laptop Users" group but I see "Value not set" in msDS-Resultant PSO for all users in the laptop users group. what would be the problem? I restarted the server but no change. Thank you.
+Yoganand T S I would check to make sure that Active Directory has replicated correctly. I would guess that it has not had enough time to take effect.
What time does it take
How do I make the option to have Nonalphanumeric characters mandatory?
It's utilized under Security Policies. Here's a link with more information:
technet.microsoft.com/en-us/library/hh994562(v=ws.11).aspx
It's utilized but to make it one of the mandatory categories is not an option. I need it to be mandatory.
Thanks very much.