Set up a separate password policy for departments in the company

Users today have a requirement to set a separate password policy for an OU, their Windows Server server version is 2008R2 Enterprise Edition, because password policies can only be defined in the default domain policy and cannot be set for a single specific group of users, the server After 2008, there is a new function, there are two kinds of names, the multi-password policy and granular password policy

User requirements are simple, let them apply the members of the group do not inherit the default password policy, the default is 90 days to change the password, threshold 5 times, modified to 999 days, threshold 999, it feels like a joke

The following is used in my test environment to operate, and finally said a practical operation encountered problems

= = To create a new security group, the password policy needs to rely on security groups to implement

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/85/8C/wKioL1eoPTHgmu7kAACEHBtUg_4511.png "title=" Wwww.png "alt=" Wkiol1eopthgmu7kaacehbtug_4511.png "/>

Then add Sijia to the password security group

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/85/8D/wKiom1eoPb7AFPUrAAA13_PpbAI544.png "title=" 1.png " alt= "Wkiom1eopb7afpuraaa13_ppbai544.png"/>

= = Opens ADSI Edit, creates a new object, and is now creating a separate password policy

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/8C/wKioL1eoPeuxs5zPAACwcCgvK90394.png "title=" 111. PNG "alt=" Wkiol1eopeuxs5zpaacwccgvk90394.png "/>

1) Type the password policy name

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/85/8C/wKioL1eoRBmgdZuRAAAjj8XXJlg425.png "style=" float: none; "title=" 1.PNG "alt=" Wkiol1eorbmgdzuraaajj8xxjlg425.png "/>

2) Note that the syntax type is an integer type, 0-9 digits, and no decimal point can occur

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/85/8D/wKiom1eoRBngGw7iAAAkvpGssDg585.png "style=" float: none; "title=" 2.png "alt=" Wkiom1eorbnggw7iaaakvpgssdg585.png "/>

3) Boolean, can only appear true or FALSE, store password with restorable encryption, select False

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/85/8D/wKiom1eoRBngKL9YAAAoIdTcU2w381.png "style=" float: none; "title=" 3.png "alt=" Wkiom1eorbngkl9yaaaoidtcu2w381.png "/>

4) password history length, such as password history length is set to 1, you use the password 123 this time, the next time password change password can not be 123, the second time to change the password can continue to use 123

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/8C/wKioL1eoRBqC4Yv_AAAk9V9ECGI683.png "style=" float: none; "title=" 4.png "alt=" Wkiol1eorbqc4yv_aaak9v9ecgi683.png "/>

5) Password complexity, select False

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/8C/wKioL1eoRBqSlLFBAAAmLA7MbnM703.png "style=" float: none; "title=" 5.png "alt=" Wkiol1eorbqsllfbaaamla7mbnm703.png "/>

6) Minimum password length, I choose here 8, subsequent can change

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/8D/wKiom1eoRBqTYbHaAAAlO3-sKEc525.png "style=" float: none; "title=" 6.png "alt=" Wkiom1eorbqtybhaaaalo3-skec525.png "/>

7) syntax is duration, must be in days: When: minutes: Seconds of format input, I entered 998

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/85/8C/wKioL1eoRYnDFNxBAAAmMVzN8AU584.png "style=" float: none; "title=" 7.png "alt=" Wkiol1eoryndfnxbaaammvzn8au584.png "/>

8) Minimum and maximum time can not be consistent, maximum setting 998

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/85/8C/wKioL1eoRYrQ8wGvAAAl46ItpU0169.png "style=" float: none; "title=" 8.png "alt=" Wkiol1eoryrq8wgvaaal46itpu0169.png "/>

9) How many times the user error password lock account

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/85/8D/wKiom1eoRYqwysCmAAAlojaglgA700.png "style=" float: none; "title=" 9.png "alt=" Wkiom1eoryqwyscmaaalojaglga700.png "/>

10) Account lockout duration, set for one second

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/85/8D/wKiom1eoRYrwDmssAAAm9JfOY5c636.png "style=" float: none; "title=" 10.png "alt=" Wkiom1eoryrwdmssaaam9jfoy5c636.png "/>

11) Account cancellation threshold time, also one second

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/85/8C/wKioL1eoRYrBT98DAAAltqvBAK4913.png "style=" float: none; "title=" 11.png "alt=" Wkiol1eoryrbt98daaaltqvbak4913.png "/>

12) When you are finished, open the object properties and find the Msds-psappliesto value

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/85/8C/wKioL1eoRYvybQeSAABKstwYU4w883.png "style=" float: none; "title=" 13.png "alt=" Wkiol1eoryvybqesaabkstwyu4w883.png "/>

13) Add the created security group to the value, and remember to start I've added the user to the security group

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/8D/wKiom1eoRzrh-SxeAABJwKE8G5Y041.png "title=" 666. PNG "alt=" Wkiom1eorzrh-sxeaabjwke8g5y041.png "/>

14) To facilitate the test, I change the minimum password length to 1

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/85/8C/wKioL1eoR-7DlzI6AABH4TT-Jng559.png "title=" 14.png "alt=" Wkiol1eor-7dlzi6aabh4tt-jng559.png "/>

= = Test password test is in effect

1) I previously changed the minimum password length to 1, because the user of the non-password security group in the domain inherits the domain password policy, or has the password complexity, cannot change the password

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/85/8C/wKioL1eoRYyDu9x5AAC3q-hhKJ4670.png "style=" float: none; "title=" 15.png "alt=" Wkiol1eoryydu9x5aac3q-hhkj4670.png "/>

2) Sijia This user is a user in the password security group

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/85/8D/wKiom1eoRYzAg6mXAACNyr9lDCg276.png "style=" float: none; "title=" 16.png "alt=" Wkiom1eoryzag6mxaacnyr9ldcg276.png "/>

3) Use 1-digit password to modify the success, indicating that the password policy is in effect

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/85/8C/wKioL1eoRYzRuUiuAACH4bTVRr0679.png "style=" float: none; "title=" 17.png "alt=" Wkiol1eoryzruuiuaach4btvrr0679.png "/>

= = User is experiencing problems applying password policy in production environment

1) When the password policy is created, the repeated test password policy does not take effect, the creation of the problem is excluded, as long as the write to the completion of grammar creation will not error, such as Integer input 1-9 number, Boolean input True or FALSE, duration input days: Hours: minutes: seconds

2) Another possibility is that the user's domain level is not 2008, and later view user Domain level discovery is 2003

There is a need to raise the domain functional level, and there must be someone asking whether raising the forest and domain level will affect the production environment and user environment, the answer is no, unless you have 03 domain control in your domain, domain level and forest level elevation, 03 domain control is not supported, and there is no other risk

3) Raise the forest functional level

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/85/8D/wKioL1eoSevy0-NTAAAsyW2Xvng268.png "title=" Qq20160802155106.png "style=" Float:none; "alt=" Wkiol1eosevy0-ntaaasyw2xvng268.png "/>

4) Raise the domain functional level

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/85/8D/wKioL1eoSenhN_UcAABBR7lAHBo732.png "style=" float: none; "title=" Qq20160801172004.png "alt=" Wkiol1eosenhn_ucaabbr7lahbo732.png "/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/85/8E/wKiom1eoTKCwrZHEAAAdwlQYkjw038.png "title=" Wwww.png "alt=" Wkiom1eotkcwrzheaaadwlqykjw038.png "/>

5) after the promotion, the user response strategy has been in force ...

This article from "Sameold" blog, declined reprint!

Set up a separate password policy for departments in the company