In the last many years, for those who experience play around with active directory, you might remember that AD was restricted with a single password policy per domain. Time goes on, Microsoft make decision to fine-grain the password policy so that you as a administrators could deploy more than one password policy within a single domain.
Those who attended my MCITP Server 2008 training, you all might remember that fine grained password policies configuration in windows server 2008 was not user friendly.
So, this time in Windows server 2012 R2, Microsoft has done a very good job, by adding user-friendly graphical user interface tool to deploy a fine-grained password policy.
If you still wondering what the h**k is this Fine-Grained Password Policy, i take example… lets say you working in large organisation with many levels of user and security, so it’s necessary to set different requirements for the password complexity and for the lockout policy.
Such as, the IT assistant may not require the same levels as the IT Engineers and HR department.
More information : http://technet.microsoft.com/en-us/library/cc770394(v=WS.10).aspx
Ok, lets get started with our Step by Step…
1 – On the Domain Server (OSI-ADDS-01), open Server Manager, and then clickTools, open Active Directory Administrative Center…
2 – Next, in the Active Directory Administrative Center, in the navigation pane, click osi (local), then double click HR OU…
** please take few minutes to go through what you have in Active Directory Administrative Center.
3 – For this demo, i will use HR Department for PSO, next… double click HR OU to open, then right click HR_Group Managers and click Properties…
4 – In the HR_Group Managers interface, verify that under Group scope, Global button is selected, and then click OK…
5 – Next, in the Active Directory Administrative Center, browse to System container…
6 – Next, in the details pane, right-click the Password Settings Container, clickNew, and then click Password Settings.
7 – Next, in the Create Password Settings interface, under password settings, you can set any configuration that you prefer and it also depending on your organization policy.
For example :
a. Type HRManagerPSO in the Name box.
b. Type 10 in the precedence box.
c. Type 10 in the Minimum password length box.
d. Type 5 in the Number of passwords remembered box.
e. Type 30 in the User must change the password after (days) box.
f. Click Enforce account lockout policy.
g. Type 5 in the Number of failed logon attempts allowed box.
h. Type 10 in the Reset failed logon attempts count after(mins) box.
i. Click the Until an administrator manually unlocks the account option.
b. Type 10 in the precedence box.
c. Type 10 in the Minimum password length box.
d. Type 5 in the Number of passwords remembered box.
e. Type 30 in the User must change the password after (days) box.
f. Click Enforce account lockout policy.
g. Type 5 in the Number of failed logon attempts allowed box.
h. Type 10 in the Reset failed logon attempts count after(mins) box.
i. Click the Until an administrator manually unlocks the account option.
8 – last step, under Directly Applies To section, click Add… in the enter the object names to select , type
HR_Group Managers, and then click OK…
HR_Group Managers, and then click OK…
No comments:
Post a Comment