Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.

com Page 1 of 10

Ads by Google
Find Passwords
Installation
Hotmail Password
Reset Group Policy

Home › Articles › Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008

| More

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 2 of 10

Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008

This step-by-step guide provides instructions for configuring, applying and editing fine-grained password and account lockout policies for different sets of
users in Windows Server 2008.

Introduction - Previous Versions of Windows Server

In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the
domain's Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had
to either create a password filter or deploy multiple domains.

Fine-Grained Passwords in Windows Server 2008

In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout
policies to different sets of users within a single domain. For example, to increase the security of privileged accounts, you can apply stricter settings to the privileged
accounts and then apply less strict settings to the accounts of other users.

Another valid application for using fine-grained password policies, are situations where legacy applications or other data sources require password synchronization.
These situations may require us to relax certain aspects of password complexity or length.

Step-By-Step Configuration of Fine-Grained Passwords in Windows Server 2008

I find it’s best to work with an example to demonstrate a solution, so in this case we will assume that you have a number of users who are Special Administrators and
require a stronger password group policy than the standard user. We will refer to these users as SpecialAdmins

In the following steps, we will configure a fine-grained password policy in Windows Server 2008 with the following settings:

Policy Name Policy Setting

Enforce password history 24 passwords remembered

Maximum password age 30 days

Minimum password age 1 day

Minimum password length 12 characters

Passwords must meet complexity Disabled

requirements

Account lockout duration 0

Account lockout threshold 3

Reset account lockout counter after 30 minutes

Table 1: Password Policy

Note: yourdomainname in the following steps should be replaced with the NETBIOS name of your domain.

1. Logon to a Windows Server 2008 domain controller using an account that has membership in the Domain Admins group, or equivalent permissions.
2. Go to Start, Administrative Tools, and then select Active Directory Users and Computers

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 3 of 10

3. Expand yourdomainname.com, right-click on the Users container, select New, and then select Group.
4. On the New Object - Group window, enter SpecialAdmins into the Group Name field, and then click OK

5. Close Active Directory Users and Computers

6. Click Start, click RUN, type ADSIEDIT.MSC, and then click OK

7. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to
8. In the Name field, enter yourdomainname.com, and then click OK
9. Double-click yourdomainname.com in the console tree, double-click DC=yourdomainname,DC=com, double-click CN=System, and then click
CN=Password Settings Container

10. Right-click CN=Password Settings Container in the console tree, click New, and then click Object

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 4 of 10

11. In the Create Object dialog box, under Select a class, click msDC-PasswordSettings, and then click Next.

12. In the Create Object dialog box, enter SpecialAdmins in the Value field, and then click Next.

13. For the msDS-PasswordSettingsPrecedence value, enter 1, and then click Next

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 5 of 10

14. For the msDS-PasswordReversibleEncryptionEnabled value, enter false, and then click Next

15. For the msDS-PasswordHistoryLength value, enter 24, and then click Next

16. For the msDS-PasswordComplexityEnabled value, enter false, and then click Next

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 6 of 10

17. For the msDS-MinimumPasswordLength value, enter 12, and then click Next

18. For the msDS-MinimumPasswordAge, enter 1:00:00:00, and then click Next

19. For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 7 of 10

20. For the msDS-LockoutThreshold, enter 3, and then click Next

21. For the msDS-LockoutObservationWindow, enter 0:00:30:00, and then click Next

22. For the msDS-LockoutDuration, enter (never), and then click Next, then click Finish

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 8 of 10

23. Right-click on CN=SpecialAdmins in the console tree, and then select Properties

24. On the CN=SpecialAdmins Properties window, select the msDS-PSOAppliesTo attribute, and then click the Edit button

25. On the Multi-valued Distinguished Name With Security Principal Editor window, click on the Add Windows Account button

26. On the Select Users, Computers, or Groups window, enter SpecialAdmins in the Enter the object names to select field, and then click OK

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 9 of 10

27. Click OK on the Multi-valued Distinguished Name With Security Principal Editor window
28. Click OK on the CN=SpecialAdmins Properties window

Conclusion
This step-by-step guide demonstrated how to configure fine-grained passwords in Windows Server 2008. We defined a number of password settings and applied it to a
Active Directory Group. From now on, all user members of the group will be applied with the custom password policy.

References
What is the function of the msDS-LockoutDuration element of the fine-grain account lockout policy?
http://www.ucertify.com/article/what-is-the-function-of-the-msds-lockoutduration-element-of-the-fine-grain-account-lockout-policy.html

AD DS Fine-Grained Password and Account Lockout Policy

http://technet.microsoft.com/en-us/library/cc770842.aspx

Active Directory Domain Services

http://technet.microsoft.com/en-us/library/cc770357.aspx

Windows Domain Password Policies

http://technet.microsoft.com/en-us/magazine/cc137749.aspx

Ads by Google Install Windows Logon Windows Policy Configuration

[Permalink] - Updated: Friday, May 29, 2009

| More

Articles of Interest
• Click to activate and use this control - KB912812
• Disable click noise in Internet Explorer and Windows Explorer
• Enable HTTP Compression for your ASP.NET applications
• How to configure Internet Explorer to have more than two download sessions
• Benchmarking VMware ESX Server 2.5 vs Microsoft Virtual Server 2005 Enterprise Edition
• Enabling Envelope Journaling in Microsoft Exchange 2003
• Viruses: The Next Generation - How to protect yourself

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010
Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008 | Capitalhead.com Page 10 of 10
• Benchmarking Microsoft Virtual Server 2005
• Adding XML Parser support into WinPE
• Activating ActiveX Controls
• Shutdown or Restart Computers Remotely
• Object doesn't support this property or method
• W3Proxy.exe high memory usage on ISA 2000 and SBS 2003
• Trojan Factory-Tfactory-A
• Using Google Apps & Gmail as a Disaster Recovery and Business Continuity Plan for your Email
• Configuring your email client for use with Gmail: Outlook 2007
• New Text Document option missing in Windows XP and Vista
• Give your company an international presence, Use Skype and Save Money
• Troubleshooting LDAP SSL connection issues between Microsoft ILM/MIIS & Novell eDirectory 8.7.3
• Using & Installing Multiple Versions of Trados on the Same Computer
• Migrate BIND-based (UNIX or Linux) DNS to Windows Server 2003 using Notepad
• Troubleshooting Windows Rights Management Services (RMS) - One Root Certification Server Warning
• How to Install and configure a Windows Server 2003-based DNS Service
• Force Sysprep to Prompt for a Computer Name During Mini-Setup in Windows XP
• Enable & Install Microsoft Bluetooth Stack on Windows Server 2008 x64
• Enable ActiveSync & Windows Mobile Device Center Synchronization on Windows Server 2008 x64
• Interactive Logon Process Initialization Has Failed in Windows Server 2008 x64
• Network Access Protection (NAP) an Introduction
• Upgrade to Microsoft Exchange 2007 from Exchange 2003 or 2000
• SAN vs DAS: A Cost Analysis of Storage in the Enterprise
• Duet & SAP: Architectural Overview
• Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008
• Hyper-V: Msvm_VirtualSystemManagementService Object Was Not Found Error
• Installing System Center Virtual Machine Manager (SCVMM) 2008 Step-by-Step Guide: SCVMM Server - Part 1
• Virtual Machine Manager (VMM) 2008 and Hyper-V Cluster: Virtual Network Missing From Dropdown
• Installing System Center Data Protection Manager (SCDPM) 2007 on Windows Server 2008 Step-by-Step Guide
• Installing Exchange Server 2010 Public Beta on Windows Server 2008: A First Look
• How to Find Build and Revision Number of Windows Vista or Windows Server 2008 Installed
• Object doesnt support this property or method
• Windows XP Mode in Windows 7 and Virtual PC - Part 1: Maintaining Application Compatibility
• Windows XP Mode in Windows 7 and Virtual PC - Part 2: Create Virtual Machines
• Windows XP Mode in Windows 7 and Virtual PC - Part 3: Use virtual machine application on Windows 7
• Restart or Shutdown Windows Computer Using CMD and SHUTDOWN Commands from the Command Line
• Microsoft Exchange Server Build Numbers and Release Dates
• Uninstall Integration Services from Hyper-V Windows Guest Virtual Machine
• Disable Click Sound in Internet Explorer IE and Windows 7 x64 and x86
• Enable ActiveSync & Windows Mobile Device Center Synchronization on Windows 7 x64 and x86
• IRQL_NOT_LESS_OR_EQUAL Blue Screen Error in Windows Server 2008 R2 x64 and x86
• How to run SDL Trados 2006 on Windows Vista and Windows 7
• Windows 7 DVD Drive Not Working Problem Missing Disappeared Error Gone Not Found Not Recognized in x64 and x86
• Enable Logon Using Biometric Fingerprint Reader in Windows 7 x86 & x64
• Failover Cluster Validation Error 80070005 on Windows Server 2008 R2 x64
• Windows 7 Requirements for 64-bit (x64) and 32-bit (x86) Personal Computers
• Skype Update Not Working or Downloading Latest Builds
• Free Real-time Anti-Virus and Anti-Spyware Protection for Windows 7: Microsoft Security Essentials
• Installing Microsoft Security Essentials on Windows 7
• Screen-by-screen Exploration of Microsoft Security Essentials on Windows 7
• Windows 7 Wireless (Wi-Fi) Not Working Problem Missing Listing Detecting Access Point in x64 and x86
• Microsoft Office 2010 encountered an error during setup: Error 1935 and 0x80070005
• Benchmarking Hyper-V on Windows Server 2008 R2 x64
• How to Restore a SQL 2008 Failover Cluster onto New Disk Volumes and Fix the Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2008 x64

Solutions & Services Publications New partner: Dell Computer Corp.

Virtualization How to Restore a SQL 2008 Failover We are pleased to announce that
Cluster onto New Disk Volumes and Fix Capitalhead has partnered with Dell
Virtual Lab Automation
the Microsoft Distributed Transaction
Compute...
Software Development Coordinator (MSDTC) on Windows
Server 2008 x64 Learn More ›
Email Intelligence
Network Design Microsoft Office 2010 encountered an Akimbi gets 1st APAC Customer
error during setup: Error 1935 and
Project Management 0x80070005 Akimbi Systems, the global leader in
Security Windows 7 Wireless (Wi-Fi) Not Virtual Lab Automation software, has
Translation & Localisation Working Problem Missing Listing e...
Detecting Access Point in x64 and x86 Learn More ›
Web & Graphic Design
Screen-by-screen Exploration of
Broadband & ADSL2 Microsoft Security Essentials on
Domain Registration & Hosting Windows 7
Installing Microsoft Security Essentials
on Windows 7
Free Real-time Anti-Virus and Anti-
Spyware Protection for Windows 7:
Microsoft Security Essentials
Skype Update Not Working or
Downloading Latest Builds

http://capitalhead.com/articles/step-by-step-guide-to-fine-grained-passwords-in-windows-server-2008.aspx 3/7/2010