Server 2008 Password Policies - PSOs

  • Article

In Server 2003 or R2 one of the major limitations was the ability to only have one password policy per domain. The product team realized this was a major pain point for many customers, so they hooked Server 2008 up with some new password policy functionality which is available in Beta 3.

In Server 2008, we’ve created the concept of password settings objects or PSOs. Every PSO contains all of the same password-related information you’re familiar with in server 2000/2003 such as lockout duration, minimum password age, etc.

A cool common use scenario: All domain administrators have a more complex password policy while the rest of the users in the domain have a less-restrictive password policy.

So what are some things you can do now with Password policies (PSOs)?
1. Create and link as many PSOs as you’d like
2. Link a PSO to one or more users or global security groups
3. Override a PSO applied to individual user(s) in a group with a different PSO via “ExceptionalPSOs”
4. Create a precedence for the PSO (so one will have a higher priority than another)
5. Delegate who can link or modify individual PSOs to specific users or groups. (Only Domain Admins can create PSOs.)
6. Hide the Password policy settings from the user
7. PSOs do not interfere with custom password filters

What are some of the downfalls?
1. No official Microsoft GUI to set up the policies. There is a 3rd party tool to do this (link below), but otherwise you’ll have to use ADSIedit to create and manage PSOs.
2. Inability to assign a PSO to a computer or directly to an OU. However, you can assign a “shadow group” to the OU and then manually or script the addition/removal of members who reside in that OU to the shadow group.
3. You must be in Server 2008 domain functional level (all DCs running Server 2008 in the domain). Not surprising, but should be pointed out in case you were thinking you could roll this out in a mixed 2003/2008 domain.

GET STARTED

Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 – Page 83

Video Screencast of editing the PSOs manually (no GUI tools)

Command Line Tool to create and manage PSOs (Joeware)

SpecOps GUI tool for PSOs

GUI tool which uses powershell comandlets to manage PSOs by Quest

Fine Grain Password Policy Tool -  Another GUI Tool created by a Microsoft Employee

Blog post with Powershell examples on managing PSOs

Get Server 2008 Beta 3