?
Solved

Question Windows 2008 Fine Grain Password Policies

Posted on 2010-09-10
17
Medium Priority
?
1,827 Views
Last Modified: 2012-05-10
I'm creating a new fine grain password policy and have the following question.
I need to have my user accounts set to never unlock automatically so I'm setting the
msDS-LockoutDuration value to: 00:00:00:00 / If I set the msDS-LockOutDuration Windows to 00:00:00:00 does this means that a user failed login attempts would be logged over the course of months?

Isn't is recommend to set both the lockout duration and window to the same vaule so in my case, both should be zero?

Also is there graphical native reports that I can run to show all policies both GP applied and PSO that a user is processing?
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 
LVL 4

Expert Comment

by:ChandarS
ID: 33647817
Hi,

Please check he below link for deep ...

http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

Reg,
Chandar Singh
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33647921
Thanks...
I have this article I guess that I'm asking what does setting msDS-LockOutDuration Window to "0" really mean??????
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33647971
Setting the LockOutDuration to 0 means that the account will be locked until an Administrator unlocks it. The lockout counter is solely based on invalid attempts. Once they are exceeded, the account will remain locked.

Use the Group Policy Management Console for a graphical report of applied policies for specific users and computers.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Author Comment

by:compdigit44
ID: 33648270
But the group policy MMC only show GP setting and not the PSO and need a report that will show both!!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648314
If you're going to do fine-grained password policies, there's only one additional configuration from a GPO. Maybe a GUI tool would be helpful, I prefer this one from Dmitry Sotnikov:

http://dmitrysotnikov.wordpress.com/2007/06/19/free-ui-console-for-fine-grained-password-policies/

Or this one has more PowerShell options, you might be able to generate a report that way:

http://blogs.chrisse.se/blogs/chrisse/archive/2007/07/14/fine-grain-password-policy-tool-beta-1-is-ready.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33648373
I'm still confused about msDs-LockOutDuration Windows: If this is set to zero is a cumulative count which will never be reset correct? What happens when the account is unlocked? Is the lockout count reset then?
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648448
msDS-LockoutObservationWindow is the counter value, the time in which a user has to fail login.

So, if you have it set to 60 minutes, and your max number of failed attempts is set to 5, a user that fails 5 times within 60 minutes will be locked. If they login successfully within that time period, the counter is reset. The idea is to set a specific number of times you can fail login within a time period.

Because of your other settings in msDS-LockoutDuration, the account will remain locked after 60 minutes, despite the lockout counter being reset.
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648459
Maybe this can help as well:

The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration. The msDS-LockoutObservationWindow determines how long the bad password counter is active. The msDS-LockoutDuration  determines how long an account stays locked out for when the bad password count threshold is reached. It is not possible to keep the bad password counter active longer than the time that the account is locked out.

From TechNet: http://technet.microsoft.com/en-us/library/cc753858%28WS.10%29.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33648800
Still confused so if my lockoutduration is 0 and lockout duration window is 0 WHAT DOES THIS MEAN !!!!!!!!!!!!!!!!!!!!!!!1
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648887
It means that your accounts will lock, and not unlock until an administrator intervenes.

The logging factors are separate values that must be configured elsewhere.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649068
so if my duration is set to 0 then the duration is a mute point??
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33649274
Yes. As the TechNet article says, "The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration."
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649294
If you implement a PSO using ADSIEDIT how do you know if the users can you be 100% sure the user are process the PSO and not the default domai policy???
0
 
LVL 7

Accepted Solution

by:
grantsewell earned 2000 total points
ID: 33649463
msDS-PasswordSettingsPrecedence is an attribute that sets specific precedence over policies - the lower the number, the higher the priority.

You can verify the PSO that is ultimately applied to the user by querying the msDS-ResultantPso user attribute.

Please, read the TechNet references thoroughly! This is all explained in there: http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649569
I know about the msDS-ResultantPso user attribute.
 but I didn't know if their was a way to be 110% certain..

in other words I'm worried that even if my msDS-ResultantPso user attribute.
feid is showing that a PSO is being applied to a user in may not accutally be working
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33649588
I have never heard of issues with the msDS-ResultantPso. I suggest testing after moving users between groups and verifying that it works properly. There's only so much you can do.

Good luck!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33651782
So did this information work out for you?
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question