The Default Domain Password Policy:
*Normally the password policy is set for all users at the Domain level.
*The default settings are usually good enough.
Ex :
Enforce password history - 24 passwords remember
Maximum password age - 42 days
Minimum password age - 1 days
Minimum password length - 7 characters
Password must meet complexity requirements - enabled.
Store passwords using reversible encryption - disabled.
*Complexity requirements are enforced when passwords are changes or created.
Requirements :
*Should not contain the users account name or parts of the users full name that exceed two consecutive characters.
*Be at least six characters in length.
*Contain Characters from three of the following four categories:
-English uppercase characters (A to Z)
-English lower case characters (a to z)
-Base 10 digits (0 to 9)
-Non alphanumeric characters (!,@,#,$<%)
____________________________________________________
To exempt any user from his password policy we will use FINE GRAINED PASSWORD POLICY.
*Normally you only have one password policy settings in your entire domain, but by creating password settings objects (PSO) you can specify multiple password policies for individual uses or for the groups that users are part of.
*Your domain functional level must be at server 2008 level.
* We'll need to go into ADSI EDIT to create password policy objects, and link to the User account or group they apply to.
Steps:
*Open ADSI EDIT.
*Expand Default naming context
*Go to CN = system >CN = Password Settings Container > Right click on empty side > New object > Select the class > next > Value (Common-name) > type anything which is realted ex : Excutivespasswordpolicy
> Next > again you will get Value (Passwords Settings Precedence) - type 1
> NEXT > value (password reversible encryption status for user accounts) - type FALSE
> Next > value (password history length for user accounts) type 5
> Next > Value (Password complexity status for user accounts) - FALSE
> Next > value (Minimum password length for user accounts) - 4
> Next > value (Minimum password age for user accounts) - type - 1:00:00:00
> Next > Value (Maximum Password age for user accounts) - type 90:00:00:00
> Next > value (Lockout threshold for lockout of user accounts) - type 20
> Next > Value (Observation window for lockout of User accounts) - Type 00:00:20:00
> Next > Value (Observation window for lockout of user accounts) - type 0:00:20:00
>Next > Value (Lockout duration for locked out user accounts) - type 0:01:00:05
> Next.
Now go to More Attributes option > Select a property to view : > msDs-PS0Applies to
Edit attribute > copy and paste the executives group attributes here and click on Add > OK > Finish.
(You can get the group attributes if you enable advanced features option from the tools in AD > then select group > properties > go to attribute editor > scroll down > select distinushed name and copy all the contents
> ok).
HOW TO RESET A PASSWORD OF A USER.
Right click on the User in AD > select reset password.
____________________________________________________
*ADSIT EDIT - A low level utility used for editing the AD database directly rather than using the GUI tools (I.e Server manger etc,)
*FINE GRAINED PASSWORD POLICY :A feature of Server 2008 that allows an override of the Domain password policy requirements.
*PSO - Password Settings Object - An AD Object created in ADSI edit that allows for an alternative password policy to be applied to a user or a group.
*Server 2008 Functional level- An Operating Mode which requires that all Domain Controllers in your network to be server 2008. (Required for FINE grained password policy)
*Normally the password policy is set for all users at the Domain level.
*The default settings are usually good enough.
Ex :
Enforce password history - 24 passwords remember
Maximum password age - 42 days
Minimum password age - 1 days
Minimum password length - 7 characters
Password must meet complexity requirements - enabled.
Store passwords using reversible encryption - disabled.
*Complexity requirements are enforced when passwords are changes or created.
Requirements :
*Should not contain the users account name or parts of the users full name that exceed two consecutive characters.
*Be at least six characters in length.
*Contain Characters from three of the following four categories:
-English uppercase characters (A to Z)
-English lower case characters (a to z)
-Base 10 digits (0 to 9)
-Non alphanumeric characters (!,@,#,$<%)
____________________________________________________
To exempt any user from his password policy we will use FINE GRAINED PASSWORD POLICY.
*Normally you only have one password policy settings in your entire domain, but by creating password settings objects (PSO) you can specify multiple password policies for individual uses or for the groups that users are part of.
*Your domain functional level must be at server 2008 level.
* We'll need to go into ADSI EDIT to create password policy objects, and link to the User account or group they apply to.
Steps:
*Open ADSI EDIT.
*Expand Default naming context
*Go to CN = system >CN = Password Settings Container > Right click on empty side > New object > Select the class > next > Value (Common-name) > type anything which is realted ex : Excutivespasswordpolicy
> Next > again you will get Value (Passwords Settings Precedence) - type 1
> NEXT > value (password reversible encryption status for user accounts) - type FALSE
> Next > value (password history length for user accounts) type 5
> Next > Value (Password complexity status for user accounts) - FALSE
> Next > value (Minimum password length for user accounts) - 4
> Next > value (Minimum password age for user accounts) - type - 1:00:00:00
> Next > Value (Maximum Password age for user accounts) - type 90:00:00:00
> Next > value (Lockout threshold for lockout of user accounts) - type 20
> Next > Value (Observation window for lockout of User accounts) - Type 00:00:20:00
> Next > Value (Observation window for lockout of user accounts) - type 0:00:20:00
>Next > Value (Lockout duration for locked out user accounts) - type 0:01:00:05
> Next.
Now go to More Attributes option > Select a property to view : > msDs-PS0Applies to
Edit attribute > copy and paste the executives group attributes here and click on Add > OK > Finish.
(You can get the group attributes if you enable advanced features option from the tools in AD > then select group > properties > go to attribute editor > scroll down > select distinushed name and copy all the contents
> ok).
HOW TO RESET A PASSWORD OF A USER.
Right click on the User in AD > select reset password.
____________________________________________________
*ADSIT EDIT - A low level utility used for editing the AD database directly rather than using the GUI tools (I.e Server manger etc,)
*FINE GRAINED PASSWORD POLICY :A feature of Server 2008 that allows an override of the Domain password policy requirements.
*PSO - Password Settings Object - An AD Object created in ADSI edit that allows for an alternative password policy to be applied to a user or a group.
*Server 2008 Functional level- An Operating Mode which requires that all Domain Controllers in your network to be server 2008. (Required for FINE grained password policy)
No comments:
Post a Comment