Windows 2000 Server ve Windows Server 2003 Active Directory domainler inde sadece tek Password Policy belirleyebiliyorduk. Bu Password Policy de tüm organizational unit’lere etki ediyordu. Windows Server 2008 ile Active Directory’si ile değişik pass policy uygulamak mümkün. Ayrı ayrı olarak yapacağımız bu policyleri tek bir kullanıcı için veya bir security grup için yapabiliriz.
Yalnızzzzzzzzz;;;
Hatırlatmak isterim ki bu uygulama için Domain Functional Level’inizin en az Windows Server 2008 olması gerekmektedir. Hatırlamayanlar için Functional Level yükseltme işlemini Active Directory Users & Computers snap-in’inden domain adımıza sağ tuşla tıklayıp Raise Domain Functional Level ‘e tıklayarak yapıyoruz. Windows’tan önce ben sizi uyarmak isterim ki bu işlem; geri dönüşü olmayan bir işlemdir ve ortamdaki Windows Server 2003 Domain Controller’larınız ile Windows Server 2008 Domain Controller’larınız bundan sonra replikasyona giremeyecektir.
Konuyla ilgili technet linklerimiz;
- AD DS: Fine-Grained Password Policies
- Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration
Hmm, bu özelliğin resmi adı ise Fine Grained Password Policy. Tabii bazı MVP arkadaşlar ise bu işlem için güsel GUI arabirimleride oluşturmamış değil ; örneğin;
- Christoffer Andersson yapdığı the Fine Grained Password Policy Tool.
- Dmitry Sotnikov yapdığı the PowerGUI, indirmek için bura.
- Arlindo yapdığı güsel bir tool (ekrangörüntüleri ile).
Tabii ki tüm domain için Default Domain Policy deki ayarları değiştirebilirsiniz.
Fakat şimdi biz bir kullanıcı yada grup için ayrı bir password policy belirleyelim. Evet hazır olun ve açık programları kapatın, başlayalım:
1. Start –> Run –> adsiedit.msc diyoruz
2. ADSIEdit sağ tıklayın, ve connect to:
3. Ok. e tıklayın
4. Şimdi ağaç yapısından şuraya gidiyoruz:
Default Naming content\DC=yourdomain,DC=com\CN=System\CN=Password Settings Container\
3. Password Settings Container a sağ tıklıyoruz ve New – Object. e tıklıyoruz.
4. msDS-PasswordSettings seçin ve next.
5. Value: SerkansPasswordSettings, next. (veya isim olarak herhangi ne isterseniz olabilir. Password Settings Object (PSO) ismi)
6. msDS-PasswordsSettingsPrecedence set the value of 10, click next. (This value needs to be a number larger than zero. If you have multiple PSOs, the PSO with the lowest priority takes precedence).
7. Fill in the following attributes for password settings:
· msDS-PasswordReversibleEncryptionEnabled (self explanatory)
Value = False
· msDS-PasswordHistoryLength (Also self explanatory… you can keep up to 1024)
Value = 15
(domain default: 24)
· msDS-PasswordComplexityEnabled (Upper, lower, number, blah blah blah)
Value = True
· msDS-MinimumPasswordLength (If only everyone were using pass-phrases instead of passwords)
Value = 12
(domain default(chars): 7)
Now we get into crazy land. MinimumPasswordAge, MaximumPasswordAge, LockoutObservationWindow, and LockoutDuration must all be entered in I8 format.
To quote from TechNet:
When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.
When you use the ldifde command to create PSOs, you must enter the values of these attributes in I8 format, which stores time in the intervals of -100 nanoseconds. (Schema: attributeSyntax = 2.5.5.16 (I8).) Windows Server 2003 Default Domain Policy employs this exact time unit for its corresponding time-related attributes. To set these attributes to appropriate values, convert time values in minutes, hours, or days to time values in the intervals of 100 nanoseconds, and then precede the resultant values with a negative sign.
You can use the following conversion guide and multiplication factors to obtain the corresponding I8 values.
Time unit
Multiplication factor
m minutes
-60*(10^7) = – 600000000
h hours
-60*60* (10^7) = -36000000000
d days
-24*60*60*(10^7) = -864000000000
For example, if you want to set the msDS-MaximumPasswordAge to 10 days, multiply 10 by -864000000000 and apply the resulting I8 value to the msDS-MaximumPasswordAge attribute (in this example, -8640000000000). If you want to set msDS-LockoutDuration to 30 minutes, multiply 30 by -600000000 to get the corresponding I8 value (in this example, -18000000000).
· msDS-MinimumPasswordAge
Value = -864000000000 (Nine zeroes)
(domain default: 1 day = -864000000000)
· msDS-MaximumPasswordAge
Value = -36288000000000 (Nine zeroes)
(domain default: 42 days = -36288000000000)
8. Fill in the following attributes for account lockout settings:
· msDS-LockoutThreshold
Value = 0
(domain default: 0 = don‘t lockout accounts after invalid passwords)
· msDS-LockoutObservationWindow
Value = -18000000000 (Nine zeroes)
(domain default: 6 min = -18000000000)
· msDS-LockoutDuration
Value = -18000000000 (Nine zeroes)
(domain default: 6 min = -18000000000)
9. Click Finished.
If you get an error message about improper values, you probably forgot to add a “-” before some of the numbers listed above. Don’t feel bad if you did, I manage to do it every time I run through this 
If you did everything right, it should look something like this:
Go ahead and hit “OK” and then close out of all open windows. Now that you have created a password policy, we need to apply it to a user/group. In order to do so, you must have “write” permissions on the PSO object. We’re doing this in a lab, so I’m Domain Admin. Write permissions are not a problem
- Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active Directory Users and Computers).
- On the View menu, ensure that Advanced Features is checked.
- In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings Container
- In the details pane, right-click the PSO, and then click Properties.
- Click the Attribute Editor tab.
- Select the msDS-PsoAppliesTo attribute, and then click Edit.
If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box.
7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.
To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list.
Voila! Hit “OK” a couple of times, and your users/groups now have a custom password policy assigned to them. No longer do you have to have separate domains for your developers and standard users. Good times
??
Good idea
awesome post – i’m creating video about it and i will post it to youtube !
if you wana to help or just need a link send me email !
hm. hope to see same more info. Can we speake about it?
Thanks. I read with interest
Yazınız ilgimi çekti , siteyi wordpress ile mi oluşturdunuz ?
Evt wordpress ile..
Thank you for such a fantastic blog. Where else could one get this kind of info written in such an incite full way? I have a presentation that I am just now working on, and I have been looking for such information.
I enjoyed reading it. I need to read more on this subject..Thanks for sharing a good info..Any way I’m going to subscribe for your feed and I hope you publish again soon.
nice post. thanks.
I like your post. Your blog is fantastic.