Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2012 : Enabling advanced features using ADAC (part 2) - Configuring fine-grained password policies

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
8/27/2014 3:55:28 AM

2. Configuring fine-grained password policies

In Windows Server 2003 and earlier, you could have only a single password policy and account lockout policy governing all user accounts in a domain. This password policy could be configured by editing the Default Domain Policy Group Policy Object (GPO)—specifically, the six policy settings found under

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy

Each domain also had three account lockout policy settings found under

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy

Windows Server 2008 introduced a new feature called fine-grained password policies that you could use to configure multiple password policies and account lockout policies for each domain. This provided Active Directory administrators with greater flexibility because they could create different policies for different groups of users. The problem, however, was that you needed to use ADSI Edit and LDIFDE to create fine-grained password policies on the earlier platform. This task is simplified in Windows Server 2012 because now you can use the GUI-based ADAC for creating fine-grained password policies. In addition, you can use ADAC to view the resultant password settings for particular users in your environment to ensure fine-grained password policies have been configured as intended.

Understanding fine-grained password policies

Fine-grained password policies can be assigned to users or groups. If a user belongs to more than one group that has a fine-grained password policy assigned to it, the precedence value of each policy is used to determine which policy applies to members of the group. The precedence value of a policy must be an integer value of 1 or greater. If multiple policies apply to the same user, the policy having the lowest precedence value wins.

Note

REAL WORLD Understanding policy preference

Consider a scenario where a user named Karen Berg in the corp.contoso.com domain is a member of two groups: the Marketing group and the Sales group. Fine-grained password policies have been configured as follows:

  • A fine-grained password policy having a precedence value of 1 has been created and assigned to the Marketing group.

  • A fine-grained password policy having a precedence value of 2 has been created and assigned to the Sales group.

Because Karen belongs to both groups, both policies apply to her, but the one with the lowest precedence value (the policy assigned to the Marketing group) is the one that takes effect.

Note that if two fine-grained password policies have the same preference value and both policies apply to the same user, the policy with the smallest globally unique identifier (GUID) wins.

Best practices for implementing fine-grained password policies

When planning to implement fine-grained password policies within your Active Directory environment, you should follow these best practices:

  • Assign policies to groups instead of individual users for easier management.

  • Assign a unique preference value to each fine-grained password policy you create within a domain.

  • Create a fallback policy for the domain so that users who don’t belong to any groups that specifically have fine-grained password policies assigned to them will still have password and account lockout restrictions apply when they try to log on to the network. This fallback policy can be either of the following:

    • The password and account lockout policies defined in the Default Domain Policy GPO

    • A fine-grained password policy that has a higher precedence value than any other policy

Note

REAL WORLD Implementing a fallback policy for your domain

Consider a scenario where the corp.contoso.com has three groups: Marketing, Sales, and Human Resources. Fine-grained password policies have been configured as follows:

  • A fine-grained password policy having a precedence value of 1 has been created and assigned to the Marketing group.

  • A fine-grained password policy having a precedence value of 2 has been created and assigned to the Sales group.

  • No fine-grained password policy has been assigned to the Human Resources group.

To ensure that password and account lockout restrictions apply when members of the Human Resources group try to log on to the network, you can do either of the following:

  • Configure password and account lockout policy settings in the Default Domain Policy GPO for the domain.

  • Create a fine-grained password policy that has a precedence value of 100, and assign this policy to the Domain Users group.

Note that the recommended approach is to use the second option mentioned because Default Domain Policy is a legacy feature dating back to the Windows NT era while fine-grained password policies are the future.

Other -----------------
- SQL Server 2012 : Latch Contention Examples - UP Latches in tempdb, Spinlock Contention in Name Resolution
- SQL Server 2012 : Latch Contention Examples - Queuing
- SQL Server 2012 : Latch Contention Examples - Inserts When the Clustered Index Key Is an Identity Field
- SQL Server 2012 : Latches and Spinlocks - Monitoring Latches and Spinlocks
- SQL Server 2012 : Latches and Spinlocks - SuperLatches/Sublatches
- SQL Server 2012 : Latches and Spinlocks - Latch Types, Latch Modes
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - Client-Side Object Model API Coverage
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 3) - Creating, Updating, and Deleting
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 2) - Filtering and Selecting
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 1) - Getting Started with REST and OData
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server