Fine-Grained Password Policies — password settings objects


Windows Server 2008 supports Fine-Grained Password Policies in Active Directory, which is a huge step forward from the per-domain-only password policies of Windows Server 2003 and Windows 2000 Server Active Directory. Yet with the suggested built-in management interface for creating fine-grained policies being ADSIedit, LDIFDE, and similar utilities, and with the requirement that the Active Directory domain in question be at the Windows Server 2008 domain functional level (DFL), such policies aren’t yet deployed as widely as some people might hope.

In this article we’ll review the functionality and objects involved in fine-grained password policies (FGPP). In a subsequent article, we’ll present the use of the Windows Server 2008 R2 PowerShell v2.0 cmdlets for working with fine-grained password policies.

The Windows Server 2008 (W2K8) Active Directory schema contains some new object classes and attribute types to support fine-grained password policies. With W2K8 AD, an instance of one of these classes, a password settings container is created in the domain’s System container. In fact, the name of this container in the domain would be:

CN=Password Settings Container,CN=System,DC=777,DC=wernerconsulting,DC=com

With the Advanced Features view option enabled in Active Directory Users and Computers (ADUC), we can see this container and if there are any policies defined in it, we could work with their properties in ADUC’s Attribute Editor. But to create the Password Settings objects which go in that container, we could use ADSIedit, LDIFDE, or other tools. Once created, we could use those same tools to view and edit the settings, or we could come back to ADUC and use the Attribute Editor. In another article, we’ll see some PowerShell cmdlets in W2K8 R2 which offer an alternative.

Let’s look at a Password Settings object – the object class is msDS-PasswordSettings. Although these can be created in ADSIedit and then modified in ADUC, let’s see one in standard LDIF format.

dn: CN=Sales Password Policy,CN=Password Settings Container,CN=System,DC=777,DC=wernerconsulting,DC=com

objectClass: msDS-PasswordSettings

cn: Sales Password Policy

msDS-MaximumPasswordAge: -18144000000000

msDS-MinimumPasswordAge: -6048000000000

msDS-MinimumPasswordLength: 16

msDS-PasswordHistoryLength: 24

msDS-PasswordComplexityEnabled: TRUE

msDS-PasswordReversibleEncryptionEnabled: FALSE

msDS-LockoutObservationWindow: -6000000000

msDS-LockoutDuration: -18000000000

msDS-LockoutThreshold: 3

msDS-PasswordSettingsPrecedence: 10

Note that the raw format for the maximum password age, minimum password age, lockout observation window, and lockout duration is the classic Windows NT time interval “ticks”, which is a negative number representing the number of 100 nanosecond units in the duration. These are 64-bit values which are referred to as Integer8 (eight octets), or LargeInteger values, depending on if you ask a schema person or a developer.

When entering these values in ADSIedit, I’ve seen/heard people suggest that we use the ticks value for the time intervals, however, it is also possible to enter a value of (none), (never), or a duration in d:hh:mm:ss notation – days, hours, minutes, and seconds. A value of 0:00:10:00 represents 10 minutes. There really is no need to resort to ticks unless you prefer to count time that way.

Both ADUC’s Attribute Editor and ADSIedit support entering these values in d:hh:mm:ss notation, which automagically translates to the negative ticks notation required for time intervals.

In another article, we’ll look at the meaning of these settings, then later how to apply them to groups, and finally how to avoid the gory details of managing these in Windows Server 2008 and use PowerShell in Windows Server 2008 R2 for more fun and power.

One thought on “Fine-Grained Password Policies — password settings objects”

  1. Joni Mueller January 28, 2012 at 5:52 pm I tried the demo (actually I was a slacking Beta tesetr) and just purchased a Tefter license and am waiting for details on receiving the download. Meanwhile, while using the demo, I couldn’t help but notice no custom account type for my favorite project management system, activeCollab. You might want to think about adding that And Basecamp for that matter. Pozdrav!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.