Fine Grain Password Policies (FGPP)


Hi,


    Having played with FGPP’s recently at Teched, I figured that it would be good to publish the attributes that are required to create one and their value types.


The attributes required for creating a fine grain password policy.


msDS-PasswordSettingsPrecendence


 This is just a number you can make up (make sure you leave some space in the numbering for future use) 


msDS-PasswordReversibleEncryptionEnabled


 This attribute is boolean and defines if you want to store the passwords of the accounts (to whom the Password Settings Object applies) in reversible encryption or not. The default and best practice is “FALSE”
 
msDS-PasswordHistoryLength


 This setting defines how many old passwords the user cannot reuse again (to prevent the user from changing the password back and forward to the same one, or changing it multiple times until he’s able to reuse his old password).
The domain default is not to allow the last 24 passwords of that user.
 
msDS-PasswordComplexityEnabled


 This attribute is a boolean, and defines if the password needs to be complex (does have at least three of the following character sets applied: lower letters, captial letters, numbers, symbols, unicode characters).
The domain default and best practice would  be to turn it on (TRUE).
 
msDS-MinimumPasswordLength


 This attribute defines the minimum lenght of a Password in characters. The domain default would be 7 characters long.
 
msDS-MinimumPasswordAge


Defining the minimum age for Passwords.  This is a negative number which you can compile/decompile using the scripts at http://msdn2.microsoft.com/en-us/library/ms974598…. as a guideline.
(domain default: 1 day = -864000000000)
 
msDS-MaximumPasswordAge


Defining the maximum age for Passwords.
This is a negative number.
(domain default: 42 days = -36288000000000)
 
msDS-LockoutThreshold


 Defines after how many failed attempts entering a password the user-object will be locked.
(domain default: 0 = don’t lockout accounts after invalid passwords)
 
msDS-LockoutObservationWindow


 After which time should the “bad password counter” been reset?
(domain default: 6 min = -18000000000)
 
msDS-LockoutDuration


 How long should a password being locked?
(domain default: 6 min = -18000000000)


I hope you find this useful 🙂

Comments (1)

  1. Vijay Suthar says:

    Very Easy Explanation. Thank you 🙂