Windows Server 2008:: Password Policies Changes

Today with a Windows Server 2003 domain you can only define one password and account lockout policies. We heard the feedback of many customers that we needed to change that because now it was one of the reasons to create another domain in your forest. When I was a consultant I always advised my customers to keep their AD infrstructure simple, avoid creating domains if it's not needed. When Windows Server 2008 will be released you will be able to have more control onto the password and account lockout policies. From then on you will be able to define different policies for different users. Note that this policy will not apply to Organization Unit's (OU) but only to User accounts en global security groups.


What have changed?

To be able to store those passwords we will introduce two new object classes in Active Directory:

  • Password Settings
  • Password Settings Container

The password settings container will store the Password Settings Objects (PSO) for the domain. The PSO has different attributes for the password and account lockout settings like max password age, password must meet complexity requirements, account lockout duration, etc.


What are the Requirements?

The Domain functional level must be Windows Server 2008.
Only members of the Domain Admin group can set the policies, however you could use delegation to allow other users to define the policies.
There are 9 attributes in the PSO that are needed and they all must have a value.



Users can now have multiple PSO linked to his account; this can be done directly or through Group Membership. Take into consideration that multiple password policies cannot be merged. Which PSO will be applied? All PSO have an attribute that is called msDS-PasswordSettingsPrecedence, the lower the value the higher the rank.


Users with a user defined Password Policy will always have the highest rank. In case that there is no user defined PSO than the different Global Security groups with a PSO will be compared and the one with the lowest precedence number will be applied. If there is no PSO applied through users and group then the Default Domain Policy is applied.


As you can see these new policy changes are a step forward but you will also have to be careful when applying those policies. My recommendation here is to limit the number of password policies you have in one domain and at least document them with the reasons why you created those policies, because I can assure you that within a few weeks, months after the implementation you will forget.


Technorati tags: , ,
Comments (3)

  1. Confused says:

    How to change password policy in old Windows 2000/2003 way for whole domain on Longhorn Server by domain functional level below Windows 2008?

    I can’t find any snap-in…

  2. Brian Cole says:

    That would be a great feature if we got it. I even found the on-topic Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration describing that in more detail. Personally, I am especially interesting in exceptional PSOs. Interesting note there about the msDS-MaximumPasswordAge property value and timing granularity, meaning how the properties store the timing intervals. It’s stored in 100 ns chunks, so to set the timing you should multiply mantissa by E+07. The said thing, though, as you’ve already said "For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server "Longhorn". An interesting note about calculating RSoPs for multiple PSOs: "If multiple PSOs with the same <b>msDS-PasswordSettingsPrecedence</b>. value are obtained for a user from the preceding conditions, the PSO with the smallest globally unique identifier (GUID) is applied." Could you possibly suggest what to do now before we get the Windows Server 2008? Maybe there’s some workaround on how to manage this in Windows Server 2003 domain? We have the Windows Server 2003 R2 schema. I found interesting link to the desktop management tool that works with Windows Server 2003 domains but still supports Vista. I may be mistaken but from what I read, it they found some way to apply various user settings based on his membership and other parameters. I don’t think they changed the Active Directory functionality becasue I don’t know if it possible to change it. I guess, they just provide a way to trick system and use current functionality so that it’s possible to apply different settings to the user based on the membership. I don’t know if it’s possible to change the password lockout threshold, but looks like it’s possible to change other think. What do you think about that? Could you recommend something about what I can do now running Windows Server 2003? LockoutThreshold registry setting is great but I don’t see how I can adapt it to work the similar way.

    Anyway, thank you for the info. I missed that info in Windows Server 2008 "what’s new" so it was very interesting to know that.

    By the way, another interesting thing I noticed about this functionality in Windows Longhorn. It overrided the Reversible password encryption required, Password not required, Password does not expire bits.

  3. Anonymous says:

    Remember a previous blog post where I talked about the fact that with Windows Server 2008 you will now

Skip to main content