Windows 7 / Security and Privacy

Creating Password Settings Objects and Applying Secondary Settings

When you want to fine-tune the way account policy is applied, you need to create a Password Settings group and add users, inetOrgPersons, and global security groups as members of the Password Settings group. A Password Settings group is simply a global security group that applies the desired secondary PSO rather than the default PSO.

Afterward, you have to create a Password Settings object with attributes that define the desired policy settings and then link this object to the Password Settings group.

Before you start, you should consider how you will organize your Password Settings groups. In most cases, you'll want to create Password Settings groups that closely resemble the OUs in your domain. To do this, you'll create Password Settings groups with the same names as your OUs and then add users, inetOrgPersons, and global security groups as members of these groups as appropriate to reflect the organizational structure of your OUs.

You can create the Password Settings group and define its members using Active Directory Users And Computers. By default, only members of the Domain Admins and Schema Admins groups can create PSOs. You can create a PSO and set its attributes by completing these steps:

  1. Start ADSI Edit by clicking Start, clicking Administrative Tools, and then clicking ADSI Edit.
  2. Right-click the ADSI Edit node in the MMC and then select Connect To. This displays the Connection Settings dialog box.
  3. Choose Default Naming Context in the Select A Well Known Naming Context list and then click Advanced. This displays the Advanced dialog box.
  4. Select the Specify Credentials check box. In the Credentials panel, type the user name and password of an account that is a member of Schema Admins.
  5. Click OK to close both open dialog boxes.
  6. In ADSI Edit, select and then expand the Default Naming Context node, and then select and expand the CN=System node.
  7. In the left pane, select the CN=Password Settings Container entry. A list of any previously created Password Settings objects appears in the details pane.
  8. Right-click the CN=Password Settings Container entry, point to New and then select Object. This starts the Create Object wizard.
  9. On the Select A Class page, choose msDS-PasswordSettings and then click Next. msDS-PasswordSettings is the internal directory name for PSOs.
  10. In the Value text box, type the name of the Password Settings group and then click Next. If you are naming your Password Settings groups after your OUs, this should be the name of an OU in your domain.
  11. In the Value text box, type the precedence order for the group and then click Next. When multiple Password Settings objects apply to a user, the precedence of the group determines which account policy settings are applied. A group with a precedence of 1 always has precedence over a group with a lower precedence.
  12. Set the reversible encryption status for passwords as either false or true and then click Next. In most cases, you'll want to turn this feature off to ensure passwords are stored with strong encryption.
  13. Set the password history length and then click Next. The maximum value is 24. If you enter zero (0), a password history is not kept.
  14. Set the password complexity status for passwords as either false or true and then click Next. In most cases, you'll want to turn this feature on to ensure users enter complex passwords.
  15. Set the minimum password length for user accounts and then click Next. The maximum value is 14. If you enter zero (0), a password is not required.
  16. Set the minimum password age and then click Next. The age must be set in duration format as DD:HH:MM:SS. The maximum value is 998:00:00:00 (998 days). If you enter zero (0), a password can be changed immediately.
  17. Set the maximum password age and then click Next. The age must be set in duration format as DD:HH:MM:SS. The maximum value is 999:00:00:00 (999 days). If you enter zero (0), passwords never expire.
  18. Specify how many failed attempts at logon before a user is locked out and then click Next. The maximum value is 999. If you enter zero (0), accounts will never be locked.
  19. Specify the number of minutes after a logon failure before the logon counter is reset and then click Next. The counter time must be set in duration format as DD:HH:MM:SS. The maximum value is 69:10:39:00 (99,999 minutes). The valid range is from 1 to 99,999 minutes.
  20. Specify how long a user will be locked out before the account is unlocked automatically and then click Next. The counter time must be set in duration format as DD:HH:MM:SS. The maximum value is 69:10:39:00 (99,999 minutes). The valid range is from 1 to 99,999 minutes.
  21. Click Finish to create the object with the attributes you've defined. If you've made any mistakes in setting the attribute values, you'll see an error message regarding this and you can use the Back function to make changes to the previously specifi ed values.
  22. In ADSI Edit, right-click the PSO you just created and select Properties. In the Properties dialog box, scroll through the list of attributes until you see msDSPSOAppliesTo. Select this attribute and then click Edit. This opens the Multi-Valued Distinguished Name With Security Principal Editor dialog box.
  23. Click Add Windows Account. This displays the Select Users, Computers, Or Groups dialog box. Type the name of the Password Settings group you previously created using Active Directory Users And Computers and then click Check Names.
  24. Click OK three times to close all open dialog boxes.
Note:
You can link a PSO to other types of groups in addition to global security groups. However, when the resultant set of policy is determined for a user or group, only PSOs that are linked to global security groups, user objects, and inetOrgPerson objects are considered. PSOs that are linked to distribution groups or other types of security groups are ignored.

Understanding PSO precedence

A user, inetOrgPerson, or global security group can have multiple PSOs linked to it. This can occur either because of membership in multiple groups that each have different PSOs applied to them or because multiple PSOs are applied directly to the object. However, only one PSO is applied as the effective policy and only the settings from that PSO affect the user, inetOrgPerson, or group. The settings from other PSOs do not apply and cannot be merged in any way.

Active Directory determines the applicable PSO according to the precedence value assigned to its msDS-PasswordSettingsPrecedence attribute. This attribute has an integer value of 1 or greater. A lower value for the precedence attribute indicates that the PSO has a higher priority than other PSOs. For example, suppose an object has three PSOs linked to it. One PSO has a precedence value of 5, one has a precedence of 8, and the other PSO has a precedence value of 12. In this case, the PSO that has the precedence value of 5 has the highest priority and is the one applied to the object.

If multiple PSOs are linked to a user or group, the PSO that is applied is determined as follows:

  1. A PSO that is linked directly to the user object is applied. If more than one PSO is linked directly to the user object, the PSO with the lowest precedence value is applied.
  2. If no PSO is linked directly to the user object, all PSOs that are applicable to the user based on the user's global group memberships are compared and the PSO with the lowest precedence value is applied.
  3. If no PSO is linked directly or indirectly to the user object, the Default Domain Policy is applied.

Microsoft recommends that you assign each PSO in the domain a unique precedence value. However, you can create multiple PSOs with the precedence value. If multiple PSOs have the same precedence value, the PSO with the lowest GUID is applied. Typically, this means Active Directory will apply the PSO with the earliest creation date.

The user object has three attributes that override the settings that are present in the applicable PSO: Reversible Password Encryption Required, Password Not Required, and Password Does Not Expire. You can set these attributes in the userAccountControl attribute of the user object in Active Directory Users And Computers.

[Previous] [Contents] [Next]