Solved

Question Windows 2008 Fine Grain Password Policies

Posted on 2010-09-10
17
1,705 Views
Last Modified: 2012-05-10
I'm creating a new fine grain password policy and have the following question.
I need to have my user accounts set to never unlock automatically so I'm setting the
msDS-LockoutDuration value to: 00:00:00:00 / If I set the msDS-LockOutDuration Windows to 00:00:00:00 does this means that a user failed login attempts would be logged over the course of months?

Isn't is recommend to set both the lockout duration and window to the same vaule so in my case, both should be zero?

Also is there graphical native reports that I can run to show all policies both GP applied and PSO that a user is processing?
0
Comment
Question by:compdigit44
  • 9
  • 7
17 Comments
 
LVL 4

Expert Comment

by:ChandarS
ID: 33647817
Hi,

Please check he below link for deep ...

http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

Reg,
Chandar Singh
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33647921
Thanks...
I have this article I guess that I'm asking what does setting msDS-LockOutDuration Window to "0" really mean??????
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33647971
Setting the LockOutDuration to 0 means that the account will be locked until an Administrator unlocks it. The lockout counter is solely based on invalid attempts. Once they are exceeded, the account will remain locked.

Use the Group Policy Management Console for a graphical report of applied policies for specific users and computers.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 19

Author Comment

by:compdigit44
ID: 33648270
But the group policy MMC only show GP setting and not the PSO and need a report that will show both!!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648314
If you're going to do fine-grained password policies, there's only one additional configuration from a GPO. Maybe a GUI tool would be helpful, I prefer this one from Dmitry Sotnikov:

http://dmitrysotnikov.wordpress.com/2007/06/19/free-ui-console-for-fine-grained-password-policies/

Or this one has more PowerShell options, you might be able to generate a report that way:

http://blogs.chrisse.se/blogs/chrisse/archive/2007/07/14/fine-grain-password-policy-tool-beta-1-is-ready.aspx
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33648373
I'm still confused about msDs-LockOutDuration Windows: If this is set to zero is a cumulative count which will never be reset correct? What happens when the account is unlocked? Is the lockout count reset then?
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648448
msDS-LockoutObservationWindow is the counter value, the time in which a user has to fail login.

So, if you have it set to 60 minutes, and your max number of failed attempts is set to 5, a user that fails 5 times within 60 minutes will be locked. If they login successfully within that time period, the counter is reset. The idea is to set a specific number of times you can fail login within a time period.

Because of your other settings in msDS-LockoutDuration, the account will remain locked after 60 minutes, despite the lockout counter being reset.
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648459
Maybe this can help as well:

The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration. The msDS-LockoutObservationWindow determines how long the bad password counter is active. The msDS-LockoutDuration  determines how long an account stays locked out for when the bad password count threshold is reached. It is not possible to keep the bad password counter active longer than the time that the account is locked out.

From TechNet: http://technet.microsoft.com/en-us/library/cc753858%28WS.10%29.aspx
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33648800
Still confused so if my lockoutduration is 0 and lockout duration window is 0 WHAT DOES THIS MEAN !!!!!!!!!!!!!!!!!!!!!!!1
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648887
It means that your accounts will lock, and not unlock until an administrator intervenes.

The logging factors are separate values that must be configured elsewhere.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33649068
so if my duration is set to 0 then the duration is a mute point??
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33649274
Yes. As the TechNet article says, "The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration."
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33649294
If you implement a PSO using ADSIEDIT how do you know if the users can you be 100% sure the user are process the PSO and not the default domai policy???
0
 
LVL 7

Accepted Solution

by:
grantsewell earned 500 total points
ID: 33649463
msDS-PasswordSettingsPrecedence is an attribute that sets specific precedence over policies - the lower the number, the higher the priority.

You can verify the PSO that is ultimately applied to the user by querying the msDS-ResultantPso user attribute.

Please, read the TechNet references thoroughly! This is all explained in there: http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx
0
 
LVL 19

Author Comment

by:compdigit44
ID: 33649569
I know about the msDS-ResultantPso user attribute.
 but I didn't know if their was a way to be 110% certain..

in other words I'm worried that even if my msDS-ResultantPso user attribute.
feid is showing that a PSO is being applied to a user in may not accutally be working
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33649588
I have never heard of issues with the msDS-ResultantPso. I suggest testing after moving users between groups and verifying that it works properly. There's only so much you can do.

Good luck!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33651782
So did this information work out for you?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question