2008 Active Directory 建立不同的密碼原則

Windows Server 2008提供了新的 [Fine-Grained Password Policies]來處理這類的需求。要使用這個功能必須網域的功能等級先提昇為Windows Server 2008等級,接著透過AD網域中新的[Password Settings Container]的位置來進行設定,這個位置可使用[AD Users and Computers]管理工具,使用[Advanced Features]來開啟System位置就可看到,不過您必須要使用[Adsiedit.msc]或[Ldifde]工具來設定!

1. 請先建立一個全域安全性群組,例如:GSGroup1.
2. 將您想要排除的Account加為GSGroup1的成員.
3. 建立PSO

4. To create a PSO using ADSI Edit

  1. Click Start, click Run, type adsiedit.msc, and then click OK.

  2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.

  3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK.

  4. Double-click the domain.

  5. Double-click DC=<domain_name>.

  6. Double-click CN=System.

  7. Click CN=Password Settings Container.

All the PSO objects that have been created in the selected domain appear.

  1. Right-click CN=Password Settings Container, click New, and then click Object.

  2. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.

  3. In Value, type the name of the new PSO, and then click Next.

  4. Continue with the wizard, and enter appropriate values for all mustHave attributes.

Attribute sample:

Attribute name


Acceptable value range

Example value


Password Settings Precedence

Greater than 0



Password reversible encryption status for user accounts

FALSE / TRUE (Recommended: FALSE)



Password History Length for user accounts

0 through 1024



Password complexity status for user accounts

FALSE / TRUE (Recommended: TRUE)



Minimum Password Length for user accounts

0 through 255



Minimum Password Age for user accounts

· (None)

· 00:00:00:00 through msDS-MaximumPasswordAge value

1:00:00:00 (1 day)


Maximum Password Age for user accounts

· (Never)

· msDS-MinimumPasswordAge value through (Never)

· msDS-MaximumPasswordAge cannot be set to zero

42:00:00:00 (42 days)


Lockout threshold for lockout of user accounts

0 through 65535



Observation Window for lockout of user accounts

· (None)

· 00:00:00:01 through msDS-LockoutDuration value

0:00:30:00 (30 minutes)


Lockout duration for locked out user accounts

· (None)

· (Never)

· msDS-LockoutObservationWindow value through (Never)

0:00:30:00 (30 minutes)


Links to objects that this password settings object applies to (forward link)

0 or more DNs of users or global security groups


12. On the last screen of the wizard, click More Attributes.

13. On the Select which property to view menu, click Optional or Both.

14. In the Select a property to view drop-down list, select msDS-PSOAppliesTo.

15. In Edit Attribute, add the distinguished names of users or global security groups that the PSO is to be applied to, and then click Add.

16. Repeat step 15 to apply the PSO to more users or global security groups.

17. Click Finish.

5. To apply PSOs to users or global security groups using the Windows interface

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.


    • Active Directory Users and Computers\domain node\System\Password Settings Container.

  1. In the details pane, right-click the PSO, and then click Properties.

  2. Click the Attribute Editor tab.

  3. Select the msDS-PsoAppliesTo attribute, and then click Edit.

  4. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.



AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

Comments (1)

  1. Anonymous says:

    The Solution is to avoid unwanted events by uing AdtAdmin along with WQL Query as listed below

    An ACS collector can use Windows Management Instrumentation (WMI) Query Language (WQL) queries as filters to limit the events that are stored in the ACS database.

Skip to main content