Implementing Password Policies on a Windows Server 2008 Domain
How many unique password policies do you want? Take advantage of the new feature but don't go crazy. Consider the different groups in your organization and break them down into groups that logically need different policies. It is recommended that you keep the number of PSOs between three and ten.
Here is one example:
- Service Account Policy that doesn't force password changes but has a high minimum for password length
- Average Joe Policy that ensures passwords gets changed and meet minimum complexity requirements
- Super Awesome Administrator Policy that is more strict than your Average Joe Policy
- Super Annoying People Policy that forces password changes every 2 days and requires a minimum password length of 100
PSOs are not applied to OUs, instead they are applied to global security groups. You create your global security groups within Active Directory Users and Computers. Don't forget to add your users into their respective security groups. If you don't want everyone changing their password on the same day you can stagger the time between adding users to their security group. Although you can have multipurpose security groups, I recommend you limit these to the enforcement of the password policies only.
Once you have your security groups created and populated you can start by creating your first PSO. This can be done using ADSI Edit or ldifde. You can find step-by-step instructions at http://technet.microsoft.com/en-us/library/cc754461.aspx.
The next step is to apply the PSO to the Global Security Group. This can be done within Active Directory Users and Computers or with ldifde. You can find step-by-step instructions at http://technet.microsoft.com/en-us/library/cc731589.aspx
You can delete PSOs if you wish. You can also adjust who is affected by the password policy by adding and deleting users from the linked global security group. I find these policies very easy to maintain.
In my environment I was able to create the policies and implement them in one day. This is one new aspect of my Windows Server 2008 domain that makes me very happy. It allows multiple levels of security which also makes my end users and the auditors happy.
Source:
Microsoft, Inc.
Published by Loki Morgan - Featured Contributor in Technology
Loki Morgan is a Microsoft Certified Professional with over ten years experience in the Information Technology field including technical writing. Morgan has published online content with a focus on compute... View profile
- What is Windows Server Core?In Windows Server 2008, the new role of Server Core is unlike anything that has been seen in the Windows world before. Server Core can best be described as a new version of Windows that acts as a sort of Windows witho...
- What Are Read-Only Domain Controllers (RODC)?In Windows Server 2008 a new kind of domain controller has been added known as a Read-Only Domain Controller (RODC). RODCs represent a new safe and secure form of domain controller that has not been possible in previ...
- TechTips - How to Install SharePoint 2007 on Windows Server 2008A guide with steps detailing how to install SharePoint 2007 on Windows Server 2008, so that you can avoid the error message of compatibility issues. "You must install Office SharePoint 2007 with the most recent servic...
Information Technology Policy - Strong PasswordsThis policy is not an article, it is a policy for an IT department to use with their employees. - Windows Vista SP1 and Windows Server 2008 ReadyMicrosoft has completed development of the first major update to Windows Vista, which is compatible with 78,000 components and peripherals.
- Windows Desktop Security Tips
- Cyber Risk Insurance: Protect Your PC & Online Network
- Ebay - the First Steps to Getting Your Very Own Account
- Encrypting File System (EFS) in Windows Server 2003 Environment
- Creating Multi-Media Slideshows and "Book Trailers" Using Windows Movie Maker
- Windows Server 2008: The Most Powerful Operating System Yet
- Password Security Do's and Don'ts Outlined by Security and Privacy Company
- Configuring password policies has gotten much easier with Windows Server 2008.
- You can now configure fine-grain password and account lockout policies.
4 Comments
Post a CommentHoly Cow, I am glad I do not have to deal with this! But I know it is very important.
WE're looking into this right now. Thanks for the primer :)
Wow. Good stuff. And really well written!
This topic is out of my realm of experience, but because it is so well-written, if I wanted to, I bet I could follow your tips.