Configuring password policies windows server 2008

Ghacks is a technology news blog that was founded in by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers. Search for:. Martin Brinkmann. Software , Windows software. Related content Microsoft says Powerdir vulnerability in macOS could have given attackers access to user data. Avira is adding a crypto miner to its products as well. KeePass 2. VeraCrypt 1. LastPass: some users report compromised accounts.

Bitdefender Free will be retired on December 31, Comments There are no comments on this post yet, be the first one to share your thoughts! Leave a Reply Cancel reply Comment Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy We love comments and welcome thoughtful and civilized discussion.

Rudeness and personal attacks will not be tolerated. The "Show only attributes that have values" is NOT selected. Figure 9. In the "Multi-valued String Editor" insert the distinguished name of a user or a global security group in the "Value to add" field and click Add. You can add multiple distinguished names in this dialog - when done just click OK. Figure Every user account that is a member of this group is now hit by the new "PassPolAdmins" password policy instead of the one defined in the Default Domain Policy.

Cool, right! At this point you might wonder what happens if the user is "hit" by multiple conflicting password policies. I will get back to this in detail in the next article in this series, but let me remind you we defined a 'precedence' value during the PSO creation.

This is really cool because it enables administrator to view or edit lots of stuff which should normally be done within the ADSI Edit tool. With this tab we can take properties on the PSOs in the domain and modify the msDS-PSOAppliesTo attribute to easily set the password policy on a user or group or move a user or group from that policy.

Please notice that you cannot set the password policy from properties on the user or group objects - information about what policy applies to which users or groups is in other words set on the Password Settings Object itself! It can be hard to determine what policy 'wins' for a specific user object probably the one with the lowest cost AKA precedence value - the Resultant Set of Policy RSoP you could say.

This value determines what policy applies to the specific user in my example a user named "Windows Admin". This is in other word the "active" password and lockout policy for the selected user. Both group and user objects have another new attribute, msDS-PSOApplied , which holds in a multi-valued string all the policies that the group or user is hit by - either directly or through group membership.

In the example below the group called "Admins" is hit by 2 different password policies. If you cannot see the values mentioned here, be sure to set the "Attribute Editor" tabs filtering options to the ones described in the "Make it happen" section above. We have now seen how to add a password and lockout policy in addition to the existing policy which is defined on the domain level by default. I guess Microsoft wants the 'security group approach' instead of the ' OU approach' - most likely based on requests from costumers out there.

It is just a matter of getting used to this new approach and I am sure we will see some easy-to-use tools and scripts within short time to make the described process even easier to complete.

Despite the "nerdy" management of these policies I think it is going to be used a great deal out there - let's hope so anyway! Please also read 'Configuring Granular Password Settings in Windows Server part 2' when it is published in short time. Your email address will not be published. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Note Some security policy settings require that the computer be restarted before the setting takes effect.

Note If this security policy has not yet been defined, select the Define these policy settings check box. Important Always test a newly created policy in a test organizational unit before you apply it to your network.