Objective
For weeks, the security of the directory server DC is critical, and password protection is an important part of security protection. A password policy for the Active Directory can reduce human and network intrusion security threats and ensure the security of the Active Directory. Ad administrators should know that, on windows2000/2003, password policies can only be assigned to domains (Site) and cannot be applied individually to objects in the Active Directory. In other words, the password policy works at the domain level, and a domain can only have a password policy. While the unified password policy has greatly improved security, it has increased the complexity of the use of domain users. For example, an enterprise administrator's account security requirements are high, strong policies are required, such as passwords requiring a certain length, changing the administrator password every two weeks, and not using the password several times, but ordinary domain users do not need such a high password policy, and do not want to change their passwords frequently and use long passwords. Ultra-strong password policies are not appropriate for them.
To solve this problem, the concept of multiple password policy (fine-grained Password Policy) is introduced in Win2008. The multiple password policy allows different password policies to be applied to different users or global security groups, for example:
A. The Administrator group can be assigned a strong password policy, password 16 digits above, two weeks expired;
B. Assign a medium password policy to the service account, password expires 30 days, do not configure password lockout policy;
C. Assigning passwords to ordinary Domain users expires in 90 days.
The birth of the multiple password policy satisfies the different requirements of different users for security. Although multiple password policies meet the requirements of different levels of users for password security, the configuration of multiple password policies for administrators to increase the complexity of management, management is not very convenient, the so-called fish and bear paws can not be both. And I write this article's original intention is to help friends as soon as possible to become familiar with this function, fish and bear's paw, I want to both!
Deployment Attention Points
Multiple password policy deployments require the following:
A. All domain controllers must be Windows Server 2008;
B. The domain functional level is 2008 domain functional Mode, as shown in Figure 1 below:
Figure 1
C. The client does not need any changes;
D. If a user and group have multiple password setting objects (PSO, the PSO can be understood to be similar to the Group Policy Object GPO, popular understanding is a password policy), then the smallest priority of the PSO will eventually take effect;
E. Can be managed using ADSIEdit or LDIFDE or third-party tools;
F. A multiple password policy can only be applied to users and global security groups in the Active Directory, not to computer objects in the Active Directory, to non-domain users, and to organizational unit OUs.
Actual combat
Theoretical knowledge long-winded a big basket, next I will through the actual combat way to introduce how through ADSIEdit, ldifde as well as third-party tools FGPP, Quese company produced for AD PowerShell to achieve, manage the multiple password strategy. Because this series of articles involves a lot of methods, in order to let everyone in the operation of the time there is a clear idea, I will be the main procedure to write out:
Step 1: Create a PSO
Step 2: Apply PSO to User and/or global security groups
Step 3: Manage the PSO
Step 4: View the results of a user or global security group PSO
Step 5: Verify the results
Ⅰ. ADSIEDIT
Step 1: Create a PSO
1.
Open Active Directory Users and Computers on a DC, create an OU named "Testou", and then create a user named John in the OU and a global security group named Psogroup, and then add John to the group. As shown in Figure 2.
Figure 2
2.
Then enter Adsiedit.msc on the DC and expand to Cn=password Settings Container as shown in the figure. As shown in Figure 3. And right click on the top to select the new object, as shown in Figure 4.
Figure 3
Figure 4
3.
(Next, follow exactly the diagram) The New Object window appears, as shown in Figure 5, the category has only one password setting, click Next.
Figure 5
4.
The next step is to make a meaningful name for the PSO, which is easy to manage. For example, I'll take "Adminpso", as shown in Figure 6.
Figure 6
5.
Next, modify the Msds-passwordsettingsprecedence property, which is to set the priority of the password, although you can enter 0 or a negative number here, but to really take effect, the value entered here must be greater than 0. As I said earlier, the smaller the number, the higher the priority. I'm going to type 1, as shown in Figure 7.
Figure 7
6.
Next, modify the Msds-passwordreversibleencryptionenabled property, which is whether to enable the password-restored encryption state of the user account. The value that can be accepted for input is false/true. For the sake of security (after opening the user's password can be reversed with the tool), if there is no special requirements, the recommendation is set to false. As shown in Figure 8.
Figure 8