Fine Grain Password Policies (FGPP)

  • Article

Hi,

    Having played with FGPP's recently at Teched, I figured that it would be good to publish the attributes that are required to create one and their value types.

The attributes required for creating a fine grain password policy.

msDS-PasswordSettingsPrecendence

 This is just a number you can make up (make sure you leave some space in the numbering for future use) 

msDS-PasswordReversibleEncryptionEnabled

 This attribute is boolean and defines if you want to store the passwords of the accounts (to whom the Password Settings Object applies) in reversible encryption or not. The default and best practice is "FALSE"
 
msDS-PasswordHistoryLength

 This setting defines how many old passwords the user cannot reuse again (to prevent the user from changing the password back and forward to the same one, or changing it multiple times until he's able to reuse his old password).
The domain default is not to allow the last 24 passwords of that user.
 
msDS-PasswordComplexityEnabled

 This attribute is a boolean, and defines if the password needs to be complex (does have at least three of the following character sets applied: lower letters, captial letters, numbers, symbols, unicode characters).
The domain default and best practice would  be to turn it on (TRUE).
 
msDS-MinimumPasswordLength

 This attribute defines the minimum lenght of a Password in characters. The domain default would be 7 characters long.
 
msDS-MinimumPasswordAge

Defining the minimum age for Passwords.  This is a negative number which you can compile/decompile using the scripts at https://msdn2.microsoft.com/en-us/library/ms974598.... as a guideline.
(domain default: 1 day = -864000000000)
 
msDS-MaximumPasswordAge

Defining the maximum age for Passwords.
This is a negative number.
(domain default: 42 days = -36288000000000)
 
msDS-LockoutThreshold

 Defines after how many failed attempts entering a password the user-object will be locked.
(domain default: 0 = don't lockout accounts after invalid passwords)
 
msDS-LockoutObservationWindow

 After which time should the "bad password counter" been reset?
(domain default: 6 min = -18000000000)
 
msDS-LockoutDuration

 How long should a password being locked?
(domain default: 6 min = -18000000000)

I hope you find this useful :)