Fine grained password policy

Today we take a closer look at the Microsoft Active Directory in the 2008 native mode. One of the problems that windows administrators often face in the daily business is the setting of password policies for the whole company. Under Windows Server 2003 it was not possible to set more than one policy for the accounts. So from the domain administrator to the user every body needed the same complex password. Under active directory in version 2008 there is a new object type in the schema which is called PSO (password settings object). The only way to create the PSO is in ADSI edit. Click on start and enter “adsiedit.msc”.


In ADSI edit Connect to the “Default naming context” and browse to the CN= Password adsiedtSettings Container,CN=System,DC=YourDomain,DC=YourDomain. With the right click you are able to create a new PSO with a wizard (I am not 100 % sure but it is a wise idea to do this with the newest version of adsiedit.msc on the server).

The wizard shows up and your are able to set the PSO settings:
•    Password settings precedence
•    Password reversible encryption status for user accounts
•    Password history length for user accounts
•    Password complexity status for user accounts
•    Minimum password length for user accounts
•    Minimum password age for user accounts
•    Maximum password age for user accounts
•    Lockout threshold for lockout of user accounts
•    Observation window for lockout of user accounts
•    Lockout duration for locked out user accounts
•    Links to objects that this password settings object applies to (forward link).

The last setting is very nice. The policy are now bound to an active directory global, universal or domain local group. The PSO does not outweigh the older GPO based managed policy. If a user has a policy both through PSO and GPO the GPO policy is enforced.

To use the PSO a PDC Emulator FSMO Role must be configured on the Windows 2008 Server. The domain and forest function level must be at least Windows Server 2008. The PSO works on Windows XP, Vista, 2003 and 2008 Servers.

Enjoy the simplified but even though smarter password policy
Cheers Konrad

About the author


Add comment

Recent Posts