Proficient in Ldifde of Windows Server 2008 Multi-meta password policy

Objective

In the previous article, "Proficient in Windows Server 2008 multiple password Policy ADSIEdit," I have introduced how to create, Manage password setting object PSO through ADSIEdit tools and Active Directory Users and Computer snap-in. The original reason things and need to pay attention to the place I will not repeat in this article and after the article. Please view the previous article if necessary. The next major focus is the hands-on part. Cut the crap, start! In order for everyone to have a clear idea of the operation, I will write the main steps:

Step 1: Create a PSO

Step 2: Apply PSO to User and/or global security groups

Step 3: Manage the PSO

Step 4: View the results of a user or global security group PSO

Step 5: Verify the results

Note: Because of versatility and repeatability, some steps are not necessarily demonstrated, please refer to the previous article.

Actual combat

Ⅱ. LDIFDE

Step 1: Create a PSO

1. Before using the LDIFDE tool to create a PSO, I think it is necessary to introduce the concept of "negative PSO attribute value". As you can see from the previous article, when you create a password setting object (PSO) using ADSI Edit, you enter four time-dependent PSO attributes in the DD:HH:MM:SS format (msds-maximumpasswordage, Values for Msds-minimumpasswordage, Msds-lockoutobservationwindow, and Msds-lockoutduration). In this article, when you use the LDIFDE command to create a PSO, you must enter the values of these properties in the I8 format, which stores the time at a 100-nanosecond interval. Windows Server 2003 "Default Domain Policy" uses this exact time unit for its corresponding time-related properties. To set these properties to the appropriate values, convert the time value in minutes, hours, or days to a time value of 100 nanoseconds, and then precede the resulting value with a minus sign. Is it a little dizzy? It's easy to see an example:

The 1-minute conversion to I8 value is:

-60* (10^7) =-600000000

The 1-hour conversion to I8 value is:

-60*60* (10^7) =-36000000000

The 1-day conversion to I8 value is:

-24*60*60* (10^7) =-864000000000

For example, if you want to set Msds-maximumpasswordage to 10 days, multiply-864000000000 by 10 and apply the resulting I8 value to the Msds-maximumpasswordage property (in this case-86400000 00000). If you want to set the msds-lockoutduration to 30 minutes, multiply-600000000 by 30 to get the corresponding I8 value (in this case-18000000000).

2.

Create a setting for a new PSO by saving the following sample code as a file (for example, Adminpso.ldf):

Dn:cn=adminpso,cn=passwordsettings CONTAINER,CN=SYSTEM,DC=WINOS,DC=CN (Note: Password Settings Container3 words are separated by a space of 22.) I am here for word layout beautiful, there is no partition. ）

Changetype:add

Objectclass:msds-passwordsettings

msds-maximumpasswordage:-12096000000000

(Maximum password can be used for 14 days)

msds-minimumpasswordage:-0

(Minimum password must be used 0 days, that is, you can change your password immediately)

Msds-minimumpasswordlength:16

(Minimum password length is 16 characters)

Msds-passwordhistorylength:3

(The password cannot be repeated with the past 3)

Msds-passwordcomplexityenabled:true

(Enable password complexity requirements)

Msds-passwordreversibleencryptionenabled:false

(Enable user password cannot restore encryption)

msds-lockoutobservationwindow:-18000000000

(Account lockout window time 30 minutes)

msds-lockoutduration:-18000000000

(Account Lock Observation window time 30 minutes)

Msds-lockoutthreshold:3

(Enter the wrong password 3 times to lock)

Msds-passwordsettingsprecedence:1

(priority of the PSO)

Msds-psoappliesto:cn=psogroup,ou=testou,dc=winos,dc=cn

(GPO Application Object)

Figure 1

As shown in Figure 1, make sure that you do not have extra spaces after each line of text.