View RSS Feed

TheScarfedOne

Fine Grained Password Policies

Rate this Entry
by , 27th February 2011 at 10:51 PM (6336 Views)
Ok, something we are just about to implement - Password Policies for Staff. However, I hear you cry, you can only have one policy per domain - the "Default Domain Policy GPO". Yes - pre Server 2008 that is true...

With Windows Server 2008 you will now be able to define different password account lockout policies within the same domain. Previously this was not possible and this was also one of the reasons many of our customers implemented multiple domains in their forest. With Fine-Grained Password Policies you can assign different policies to users (individually if you want) or groups.

Its in there, but minus a GUI to configure this and you need to use the ADSIedit to create, manage and set the password policies. This is a bit of a pain, as its not the most friendly of beasts - and a licence to break things if you arent careful. If you want to go play the ADSI way, Kurt Roggen has blogged on it HERE.

Me on the other hand, would rather not. There are some community released nifty tools where you can manage the policies through a GUI, command-line or even by using PowerShell.

Some of the best...

Christoffer Andersson's Fine Grained Password Policy Tool (inc some Powershell snap ins)
http://blogs.chrisse.se/blogs/chriss...300-0-rtm.aspx

Dmitry Sotnikov's Fine Grained Password Policies POWERGUI
http://dmitrysotnikov.wordpress.com/...word-policies/

Joe Richards (MVP) PSOMgr
http://www.joeware.net/freetools/tools/psomgr/index.htm

Enjoy!
Categories
Uncategorized

Comments

  1. timbo343's Avatar
    I have seen it been done on training videos, it seems straight forward to me, just have to remember to goes on groups of users (security groups) rather than OUs.
  2. SwedishChef's Avatar
    Best tool i found was, Password Policy - Stronger Windows Passwords | Specops Password Policy there is a free basic version available.

    I also found a "feature" regarding the message box that gets displayed if you try to change to a password that breaks the policy, it seems to allow the default domain setting to take precedence, we had to turn on complex for our whole domain in order to get the correct box displayed, on groups with and without complex enabled.

Trackbacks

Total Trackbacks 0
Trackback URL: