Today with a Windows Server 2003 domain you can only define one password and account lockout policies. We heard the feedback of many customers that we needed to change that because now it was one of the reasons to create another domain in your forest. When I was a consultant I always advised my customers to keep their AD infrstructure simple, avoid creating domains if it’s not needed. When Windows Server 2008 will be released you will be able to have more control onto the password and account lockout policies. From then on you will be able to define different policies for different users. Note that this policy will not apply to Organization Unit’s (OU) but only to User accounts en global security groups.
What have changed?
To be able to store those passwords we will introduce two new object classes in Active Directory:
- Password Settings
- Password Settings Container
The password settings container will store the Password Settings Objects (PSO) for the domain. The PSO has different attributes for the password and account lockout settings like max password age, password must meet complexity requirements, account lockout duration, etc.
What are the Requirements?
The Domain functional level must be Windows Server 2008.
Only members of the Domain Admin group can set the policies, however you could use delegation to allow other users to define the policies.
There are 9 attributes in the PSO that are needed and they all must have a value.
Users can now have multiple PSO linked to his account; this can be done directly or through Group Membership. Take into consideration that multiple password policies cannot be merged. Which PSO will be applied? All PSO have an attribute that is called msDS-PasswordSettingsPrecedence, the lower the value the higher the rank.
Users with a user defined Password Policy will always have the highest rank. In case that there is no user defined PSO than the different Global Security groups with a PSO will be compared and the one with the lowest precedence number will be applied. If there is no PSO applied through users and group then the Default Domain Policy is applied.
As you can see these new policy changes are a step forward but you will also have to be careful when applying those policies. My recommendation here is to limit the number of password policies you have in one domain and at least document them with the reasons why you created those policies, because I can assure you that within a few weeks, months after the implementation you will forget.