In Windows Server 2003 SP1 or R2 one of the major limitations was the ability to only have one password policy per domain. Pain right? The product team realized this was a major pain point for many customers, so they added some new password policy functionality to Windows Server 2008 which was made available as of Beta 3.
In Windows Server 2008, we now have the concept of password settings objects or PSOs. Every PSO contains all of the same password-related information you’re familiar with in server 2000/2003 such as lockout duration, minimum password age, etc.
A cool common use scenario: All domain administrators have a more complex password policy while the rest of the users in the domain have a less-restrictive password policy.
So what are some things you can do now with Password policies (PSOs)?
- Create and link as many PSOs as you’d like
- Link a PSO to one or more users or global security groups
- Override a PSO applied to individual user(s) in a group with a different PSO via Exceptional PSOs.
- Create a precedence for the PSO (so one will have a higher priority than another)
- Delegate who can link or modify individual PSOs to specific users or groups. (Only Domain Admins can create PSOs.)
- Hide the Password policy settings from the user
- PSOs do not interfere with custom password filters
What are some of the downfalls?
- No official Microsoft GUI to set up the policies. There is a 3rd party tool to do this (link below), but otherwise you’ll have to use ADSIedit to create and manage PSOs.
- Inability to assign a PSO to a computer or directly to an OU. However, you can assign a “shadow group” to the OU and then manually or script the addition/removal of members who reside in that OU to the shadow group.
- You must be in Server 2008 domain functional level (all DCs running Server 2008 in the domain). Not surprising, but should be pointed out in case you were thinking you could roll this out in a mixed 2003/2008 domain.
So how do I get started? Check out these tools and the GUI PSO tool.