In Windows 2000 and Windows 2003 Active Directory domains, we can only apply a password policy and account lockout policy for all user configurations in Default Domain policy, if we need to develop different password and account lockout policies for special users. We can only create a new domain by creating a method, because a previous domain can only use one password and account lockout policy.
A new feature, called an exact password policy, is added to Windows Server 2008 ADDS, which can be used to define multiple password policies in a domain and apply it to users or global security groups, noting that they are not applied to OUs, and to use this feature, We need to use the ADSIEdit editor to create password Settings objects (PSOs) for the domain, and here's how to do it:
First open the ADSIEdit editor in 08DC, and navigate to the following diagram position:
Right-click the Cn=password Settings Container node to select New and select the "msds-passwordsettings" category in the pop-up window, as shown in the following illustration:
Enter a name for the new password Settings objects in the Immediate window, as shown in the following illustration:
Set a value for the Msds-passwordsettingsprecedence property in the pop-up window, which is the priority setting, and if more than one password policy in the domain is linked directly to the user, the policy with the smallest priority value will be applied, as shown in the following figure:
In the pop-up window set a Boolean value for the Msds-passwordreversibleencryptionenabled property, you can set the False/true, which corresponds to the "Store password with reversible encryption" setting in Group Policy, after setting false, click "Next", as shown in the following illustration:
In the pop-up window, set a value for the Msds-passwordhistorylength property, which corresponds to the Enforce password history setting in Group Policy, with a range of 0-1024 available, and then click Next after this setting, as shown in the following illustration:
Set a Boolean value for the Msds-passwordcomplexityenabled property in the pop-up window to set the False/true, which corresponds to the "Password must meet complexity requirements" setting in Group Policy, set to Enabled, click Next, as shown in the following illustration: