PSO Creation and
Configuration Tools
Microsoft doesn’t plan to provide a GUI tool or
Microsoft Management Console (MMC) snapin
extension to configure fine-grained password
policies in the first Server 2008 release.
However, you can use existing LDAP query
tools such as LDP or LDIFDE, or the MMC ADSI Edit snap-in, to define and configure
PSOs. These tools are available on any Server
2008 AD installation. Although these three
tools are rather complex, experienced AD
administrators should have no problem using
them to set the new password policies.
Novice AD administrators, or experienced
administrators who simply want to make their
jobs easier, might consider Joe Richards’ command-
line tool called psomgr.exe, or Special
Operations Software’s Specops Password Policy
tool. Specops Password Policy lets you use a
special MMC snap-in to configure PSOs from
the Windows GUI. Both tools hide the AD
complexity behind fine-grained password policies
and significantly ease their configuration.
You can download the PSOMgr tool from www.joeware.net/freetools/tools/psomgr. The fullfeatured
commercial version of Specops Password
Policy is available at www.specopssoft.com/products/specopspasswordpolicy; a free
version with limited functionality, called Specops
Password Policy Basic, is available at www.specopssoft.com/wiki/index.php/specopspasswordpolicybasic. The full-featured version
extends the standard Windows password policy
capabilities by adding features such as the ability
to disallow the use of user names or certain
words in passwords, and automatic user notification
of password expiry via email message.
To use ADSI Edit to define a new PSO, start
ADSI Edit and connect to the domain where youwant to define a fine-grained password policy.
Then, navigate to the System\Password Policy
Settings container. Right-click the container and
select New, Object. In the Create Object dialog
box, which Figure 1 shows, select the msDSPasswordSettings
object class, and enter your
preferred password and account lockout policy
values for the different PSO attributes.
To use LDP to define a new PSO, you must
initiate several LDAP commands from the LDP
interface. (For information about using LDP, see
the Microsoft article “Using Ldp.exe to Find Data
in the Active Directory,” at support.microsoft.com/kb/224543.) To use the LDIFDE command
line to define a new PSO, you must first
create an LDF configuration file that specifies
the different PSO attributes. (For information
about using LDIFDE, see the Microsoft article
“Using LDIFDE to import and export directory
objects to Active Directory,” at support.microsoft.com/kb/237677. For more detailed
instructions, see the Microsoft article “Stepby-
Step Guide for Fine-Grained Password and
Account Lockout Policy Configuration,” at technet2.microsoft.com/windowsserver2008/en/library/2199dcf7-68fd-4315-87cc-ade35f8978ea1033.mspx?mfr=true.)
When you use the ADSI Edit version that’s
bundled with Server 2008 to define PSOs, you
must enter the four time-related PSO attributes
(msDS-MaximumPasswordAge, msDS-MinimumPasswordAge,
msDS-LockoutObservationWindow, and msDS-LockoutDuration) in
the days:hours:minutes:seconds format. For
example, to set a maximum password age of
40 days, you’d enter the value 40:00:00:00.
When you use the ldifde command or an
older (pre-Server 2008) version of ADSI Edit
to create PSOs, you must enter the values of
these attributes in I8 format (i.e., integer represented
in 8 bytes). In the I8 format, time must
be stored in intervals of -100 nanoseconds.
This means that to use LDIFDE or an older
ADSI Edit version to set PSO attributes to their
appropriate values, you must convert the time
you want to set in values in minutes, hours, or
days to time values in intervals of 100 nanoseconds,
then precede the resultant values with a
minus sign (-).
Because the I8 format is difficult to use, I recommend
that you use the Server 2008 version
of the ADSI Edit tool (or the PSOMgr or Specops
Password Policy tools) for defining PSOs.
The Microsoft article “Step-by-Step Guide for
Fine-Grained Password and Account Lockout
Policy Configuration” (technet2.microsoft.com/windowsserver2008/en/library/2199dcf7-68fd-4315-87cc-ade35f8978ea1033.mspx?mfr=true) explains I8 conversion in
more detail.
In addition to using ADSI Edit, LDP,
LDIFDE, PSOMgr, or Specops Password Policy to link PSOs to users or global groups, you can
also use the MMC Active Directory Users and
Computers snap-in. To link a PSO to a user
or group from this snap-in, open the snapin
and ensure that the Advanced Features
view is enabled. (To enable this view, use the
Advanced Features option in the View menu.)
Then, open the Passwords Settings Container
in the System container, right-click the PSO
you want to link, and select Properties. In the
Properties dialog box, select the Attribute Editor tab, select the msDS-PSOAppliesTo
attribute, and click
Edit. Finally, in the Edit dialog
box, which Figure 2 shows,
enter the DN of the user or
group you want to link the PSO
to. If you don’t know the correct
DN of a user or group, you
can obtain it from the Active
Directory Users and Computers
snap-in. In the snap-in’s details
pane, right-click the user or the
global security group, select
Properties, select the Attribute
Editor tab, and view the value
of the user’s or group’s distinguishedName
attribute in the
Attributes list.
A Valuable Addition
Server 2008’s fine-grained
password and account lockout
policies are a valuable addition
to the Windows security
management portfolio. Although defining and
configuring these policies isn’t straightforward
in the first Server 2008 release (I strongly advise
you to use PSOMgr or the Specops Password
Policy tool), the policies do provide a significant
level of additional flexibility. For example,
Server 2008’s fine-grained password policies
eliminate the need for organizations to define
additional Windows domains or develop special
password filters.
End of Article
)
ts67 January 04, 2008 (Article Rating: