Fine Grained Password policies

Before you read this blog, it is rec­om­mended to have a basic under­stand­ing of:

Active Direc­tory fea­tures, Group poli­cies and pass­word pol­icy, Active direc­tory schema and objects. There are related Microsoft arti­cles avail­able for fur­ther infor­ma­tion. I have writ­ten this with the inspi­ra­tion from Hariv­ishnu to just pro­vide an overview of the fine grained pass­word pol­icy which we have recently imple­mented and tested in our test domain LEARNING.COM.

Are you famil­iar with active direc­tory pass­word policies?

It is an easy sub­ject for Win­dows admin­is­tra­tors. But for non win­dows peo­ple, Pass­word pol­icy is a way to enhance secu­rity by imple­ment­ing a set of rules related to your pass­word. As you all know our sys­tem pass­word has cer­tain cri­te­ria to be met. When you set a pass­word, it must meet the com­plex­ity require­ments. These com­plex­ity require­ments and other set­tings will be decided accord­ing the organization’s requirements.

In Win­dows 2003 account poli­cies will be set in a group pol­icy which is enforced to the entire domain. Due to this, all the users in a domain must fol­low the same pass­word com­plex­ity require­ments and set­tings i.e. you can­not have mul­ti­ple pass­word poli­cies in a win­dows 2003 domain. The screen shot of the group pol­icy shows the set­tings in Account Pol­icy. Account pol­icy has set­tings for pass­word pol­icy, account lock­out pol­icy and Ker­beros pol­icy. You can notice that all these set­tings come under the com­puter set­tings and not under user set­tings. So once the domain is set up, the local Secu­rity Accounts Man­ager (SAM) in each domain com­puter will be con­trolled using the above set­tings. That’s how it works in 2003 domain

Win­dows Admin­is­tra­tors always wanted mul­ti­ple pass­word poli­cies for dif­fer­ent kinds of user accounts. They have been asked to set dif­fer­ent pass­word com­plex­ity set­tings for a priv­i­leged account and a nor­mal user. But as I men­tioned ear­lier this is not pos­si­ble in win­dows 2003 and we will have only one pass­word pol­icy in each domain. It is now the time to say ‘yes’ to the require­ment. In Win­dows 2008 domain you can have mul­ti­ple pass­word poli­cies!! Fine grained pass­word poli­cies let you have dif­fer­ent pass­word pol­icy set­tings for dif­fer­ent sets of users. This will allow you to set stricter account lock­out and pass­word restric­tions for priv­i­leged accounts and looser ones for nor­mal users. Cool. Isn’t it?

How can you achieve that? The approach is entirely dif­fer­ent in 2008 Active direc­tory. Instead of hav­ing the Account Poli­cies in a group pol­icy, the set­tings have now moved out of group pol­icy. Account Poli­cies is no longer based on com­puter accounts. It is now pos­si­ble to tar­get indi­vid­ual users and groups of users to con­trol their pass­word restric­tions. You can use ADSI Edit (or any other LDAP Edit­ing tool) to mod­ify the Active Direc­tory object and its asso­ci­ated account pol­icy attrib­utes. In fact the set­tings are con­fig­ured in AD database.

Fine-grained pass­word poli­cies apply to user objects and global secu­rity groups. In order to store the fine grained pass­word poli­cies there are two new object cat­e­gories in the Active Direc­tory Domain Ser­vices (AD DS) schema: Pass­word Set­tings Con­tainer (PSC) and Pass­word set­tings Objects (PSO). Pass­word Set­tings Con­tainer (PSC) will be cre­ated by default under the Sys­tem Con­tainer of the domain, which is vis­i­ble in Active Direc­tory users and Com­put­ers with the Advanced Fea­tures enabled. As the name indi­cates it is the con­tainer used to store the Pass­word set­tings Objects (PSO). The default PSC can­not be renamed, moved or deleted. But you can cre­ate your own cus­tom addi­tional PSC. (Microsoft does not rec­om­mend this and cus­tom Pass­word set­tings Con­tain­ers will not be con­sid­ered when com­put­ing the Resul­tant set of pol­icy (RSOP)). Set­tings other than the Ker­beros set­tings can be defined in the Pass­word Set­tings Objects (PSO). These include the fol­low­ing pass­word set­tings and account lock­out settings:

  • Enforce pass­word history
  • Max­i­mum pass­word age
  • Min­i­mum pass­word age
  • Min­i­mum pass­word length
  • Pass­words must meet com­plex­ity requirements
  • Store pass­words using reversible encryption
  • Account lock­out duration
  • Account lock­out threshold
  • Reset account lock­out after defined time

In addi­tion, a PSO has the fol­low­ing new attributes:

  • msDS-PSOAppliesTo. This attribute has mul­ti­ple val­ues and shows the link to a user or group object
  • msDS-PasswordSettingsPrecedence. An inte­ger value, used to avoid con­flicts if mul­ti­ple PSOs are applied to a user or group.

You must define the set­tings under the above 9 cat­e­gories. All of them are must have attrib­utes. The msDS-PSOAppliesTo, a multi val­ued attribute con­tains link to user and groups objects. You can apply a PSO to mul­ti­ple users or groups i.e. you can cre­ate one pass­word pol­icy and apply it to dif­fer­ent sets of users or groups. A cou­ple of new attrib­utes msDS-PSOApplied and msDS-ResultantPso have been intro­duced to the user and group as well (msDS-ResultantPso for User). The msDS-PSOApplied attribute has a link back to the PSO.

You can apply a PSO to user either directly or indi­rectly through group mem­ber­ships. In this way user or group object can have mul­ti­ple PSOs linked, either due to the mem­ber­ship in mul­ti­ple groups with linked PSOs or because PSO applied to the object directly. But only one of them will take effect. msDS-PasswordSettingsPrecedence attribute helps to cal­cu­late the win­ning one from the con­flict. The PSO which is directly linked to the user object has the high­est pri­or­ity (You could not link mul­ti­ple PSOs directly to a user). If there is no directly linked PSO, the PSOs from the group mem­ber­ships will come in to the play. The PSO with the low­est prece­dence value (value of msDS-PasswordSettingsPrecedence) will take effect. A lower value of this attribute indi­cates that it has higher prece­dence. For Exam­ple: A user has no directly linked PSO and has two PSOs applied through group mem­ber­ships with a prece­dence of 2 and 4, the PSO with a prece­dence value 2 will take effect. If there are no PSOs linked to a user directly or indi­rectly, the default domain pol­icy will take effect. Things will be more com­plex if you have no directly linked PSO and have mul­ti­ple PSOs with the same prece­dence value (Microsoft rec­om­mends unique prece­dence value for each PSO). In this case the GUIDs of the PSOs will be com­pared and the PSO with the low­est GUID will be applied. The msDS-ResultantPso attribute will be cal­cu­lated based on the above rules. This shows the final PSO which got applied to the user.

Impor­tant Points to Remember:

  • Microsoft says the user­Ac­count­Con­trol set­tings like Reversible pass­word encryp­tion required, Pass­word not required, Pass­word does not expire will over­ride the set­tings in the resul­tant PSO.
  • Your domain must be run­ning in Win­dows 2008 func­tional level to uti­lize the fine grained pass­word pol­icy. This indi­rectly states that you can­not have win­dows 2000, 2003 Domain con­trollers in your domain.
  • Fine grained pass­word poli­cies are avail­able in all edi­tions of Win­dows 2008.
  • If you are not cre­at­ing fine grained pass­word poli­cies, the set­tings in the Default domain pol­icy will take effect (Just like your win­dows 2003 domain).
  • Only domain admin­is­tra­tors or del­e­gated users can cre­ate or mod­ify the PSOs.

The fine grained pass­word poli­cies can­not be applied to an orga­ni­za­tional unit. But you can cre­ate a global secu­rity group called shadow group and can add the users of an OU to the group. This shadow group can be used to apply the fine-grained pass­word pol­icy. If you move users between OUs, you must update the shadow group membership.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s