Remember a previous blog post where I talked about the fact that with Windows Server 2008 you will now be able to define different password account lockout policies within the same domain. Previously this was not possible and this was also one of the reasons many of our customers implemented multiple domains in their forest. With Fine-Grained Password Policies you can assign different policies to users, groups, inter-org-persons.
This will ship with Windows Server 2008 but without a GUI to configure this and you need to use the ADSIedit to create, manage and set the password policies. This isn't a big issue for most of us but if you are not that familiar or confident with ADSIedit it can be hassle to use it. If you're interested to know how you can configure this through ADSIedit I recommend you to read Kurt Roggen his blogpost about Fine-Grained Password policies.
Don't worry for those of you who don't want to make the changes through ADSIedit there is also a solution. Some members of our community released nifty tools where you can manage the policies through a GUI, command-line or even by using PowerShell.
He also created a PowerShell snap-in so that you can manage the setting through PowerShell.
Here is a list of the PowerShell Cmdlets you can use:
- Create new Password Policies : New-PasswordPolicy
- Modify existing Password Policies : Modify-PasswordPolicy
- Delete Password Policies : Delete-PasswordPolicy
- Rename Password Policies : Rename-PasswordPolicy
- Add users and global groups to an existing Password Policy : Add-PasswordPolicy
- Remove users and global groups to an existing Password Policy : Remove-PasswordPolicy
What's nice about this tool is that it uses the PowerShell cmdlets from Quest. In the GUI you can define the policies and once final you can click on the PowerShell Code tab. This tab contains the PowerShell script you need to execute, so just copy and paste it into the console and you're done.
Check out Dmitry his post about how to manage Fine-Grained Policies with Powershell
psomgr /add newpso10::1 /lockout 99:99:99 /pwdage 100:100 /pwdcomplex TRUE /pwdreverse true /pwdlen 101 Add PSO newpso10 with precedence of 1 and other specified values. Will NOT create since /forreal is not specified.
After reading this post I hope you will now have the knowledge, tools to manage the password policies in your environment.
Note: None of these tools are officially supported by Microsoft, use at own risks.