Fine-grained password policy in Windows Server 2008

The Windows Server 2008 operating system provides a way for organizations to define different password and account lockout policies for users of different collections in a domain. In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, only one password policy and account lockout policy can be applied to all users in the domain. These policies are specified in the domain's default domain policy. As a result, organizations that want to define different passwords and account lockout policies for different sets of users can only create password filters or deploy multiple domains for implementation. The cost of these methods is high for different reasons.

What can fine-grained password policy do?

You can use the fine-grained password policy to specify multiple password policies in a domain. You can use the fine-grained password policy to apply different password and account lockout policies to users in different collections in the domain.

For example, you can apply stricter settings to privileged accounts, and less stringent settings to apply other accounts. In other cases, you may want to apply a specified password policy for such accounts, with their passwords synchronized with other data sources.

Things to consider before applying this policy

The fine-grained policy can only be applied to user objects (or InetOrgPerson objects if they are used instead of user objects) and global security groups. By default, only members in the domain Admins group can set up fine-grained password policies. However, you can delegate this permission to another user. The functional level of the domain must be Windows Server 2008.

Fine-grained password policies cannot be applied directly to organizational units (OUs). To apply a fine-grained password policy to a user in an OU, you can use a shadow group.

A shadow group is a global security group that logically maps to an OU to enforce a password policy. You can add users in the OU to the newly created Shadow group, and then apply the fine-grained password policy to the shadow group. You can also create additional shadow groups for other OUs. If you move users from one OU to another OU, you must update the members of the corresponding shadow group.

Fine-grained password policies do not interfere with custom password filters in the same domain. Those password filters that deploy custom password filters to the domain controllers running Windows 2000 or Windows Server 2003 can use these passwords to make additional enhancements to the password.

What new features can this feature provide?

Storage fine-grained password Policy

To store the fine-grained password policy, Windows Server 2008 contains two new objects in the Active Directory directory service schema:

o Password Settings Container

o Password Settings

The Password Settings Container (PSC) is created by default in the System container of the domain. You can view it through the Active Directory user and the Computer Management tool, selecting the Advanced Features option. It stores the password Settings objects (PSOs) of the domain.

You cannot rename, move, or delete the container. Although you can create additional custom PSCs, they are not considered when the resultant Set of policy is calculated. Therefore, this is not a recommended practice.

The setting of the properties of the PSO can be set in the default Domain Policy (except Kerberos settings). These settings include the following password setting properties.

o Enforce password history

o Maximum Password age

o Minimum Password age

o Minimum Password length

o Passwords must meet complexity requirements

o Store passwords using reversible encryption