Solved

Question Windows 2008 Fine Grain Password Policies

Posted on 2010-09-10
17
1,667 Views
Last Modified: 2012-05-10
I'm creating a new fine grain password policy and have the following question.
I need to have my user accounts set to never unlock automatically so I'm setting the
msDS-LockoutDuration value to: 00:00:00:00 / If I set the msDS-LockOutDuration Windows to 00:00:00:00 does this means that a user failed login attempts would be logged over the course of months?

Isn't is recommend to set both the lockout duration and window to the same vaule so in my case, both should be zero?

Also is there graphical native reports that I can run to show all policies both GP applied and PSO that a user is processing?
0
Comment
Question by:compdigit44
  • 9
  • 7
17 Comments
 
LVL 4

Expert Comment

by:ChandarS
Comment Utility
Hi,

Please check he below link for deep ...

http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

Reg,
Chandar Singh
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
Thanks...
I have this article I guess that I'm asking what does setting msDS-LockOutDuration Window to "0" really mean??????
0
 
LVL 7

Expert Comment

by:grantsewell
Comment Utility
Setting the LockOutDuration to 0 means that the account will be locked until an Administrator unlocks it. The lockout counter is solely based on invalid attempts. Once they are exceeded, the account will remain locked.

Use the Group Policy Management Console for a graphical report of applied policies for specific users and computers.
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
But the group policy MMC only show GP setting and not the PSO and need a report that will show both!!
0
 
LVL 7

Expert Comment

by:grantsewell
Comment Utility
If you're going to do fine-grained password policies, there's only one additional configuration from a GPO. Maybe a GUI tool would be helpful, I prefer this one from Dmitry Sotnikov:

http://dmitrysotnikov.wordpress.com/2007/06/19/free-ui-console-for-fine-grained-password-policies/

Or this one has more PowerShell options, you might be able to generate a report that way:

http://blogs.chrisse.se/blogs/chrisse/archive/2007/07/14/fine-grain-password-policy-tool-beta-1-is-ready.aspx
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
I'm still confused about msDs-LockOutDuration Windows: If this is set to zero is a cumulative count which will never be reset correct? What happens when the account is unlocked? Is the lockout count reset then?
0
 
LVL 7

Expert Comment

by:grantsewell
Comment Utility
msDS-LockoutObservationWindow is the counter value, the time in which a user has to fail login.

So, if you have it set to 60 minutes, and your max number of failed attempts is set to 5, a user that fails 5 times within 60 minutes will be locked. If they login successfully within that time period, the counter is reset. The idea is to set a specific number of times you can fail login within a time period.

Because of your other settings in msDS-LockoutDuration, the account will remain locked after 60 minutes, despite the lockout counter being reset.
0
 
LVL 7

Expert Comment

by:grantsewell
Comment Utility
Maybe this can help as well:

The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration. The msDS-LockoutObservationWindow determines how long the bad password counter is active. The msDS-LockoutDuration  determines how long an account stays locked out for when the bad password count threshold is reached. It is not possible to keep the bad password counter active longer than the time that the account is locked out.

From TechNet: http://technet.microsoft.com/en-us/library/cc753858%28WS.10%29.aspx
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 19

Author Comment

by:compdigit44
Comment Utility
Still confused so if my lockoutduration is 0 and lockout duration window is 0 WHAT DOES THIS MEAN !!!!!!!!!!!!!!!!!!!!!!!1
0
 
LVL 7

Expert Comment

by:grantsewell
Comment Utility
It means that your accounts will lock, and not unlock until an administrator intervenes.

The logging factors are separate values that must be configured elsewhere.
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
so if my duration is set to 0 then the duration is a mute point??
0
 
LVL 7

Expert Comment

by:grantsewell
Comment Utility
Yes. As the TechNet article says, "The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration."
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
If you implement a PSO using ADSIEDIT how do you know if the users can you be 100% sure the user are process the PSO and not the default domai policy???
0
 
LVL 7

Accepted Solution

by:
grantsewell earned 500 total points
Comment Utility
msDS-PasswordSettingsPrecedence is an attribute that sets specific precedence over policies - the lower the number, the higher the priority.

You can verify the PSO that is ultimately applied to the user by querying the msDS-ResultantPso user attribute.

Please, read the TechNet references thoroughly! This is all explained in there: http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx
0
 
LVL 19

Author Comment

by:compdigit44
Comment Utility
I know about the msDS-ResultantPso user attribute.
 but I didn't know if their was a way to be 110% certain..

in other words I'm worried that even if my msDS-ResultantPso user attribute.
feid is showing that a PSO is being applied to a user in may not accutally be working
0
 
LVL 7

Expert Comment

by:grantsewell
Comment Utility
I have never heard of issues with the msDS-ResultantPso. I suggest testing after moving users between groups and verifying that it works properly. There's only so much you can do.

Good luck!
0
 
LVL 7

Expert Comment

by:grantsewell
Comment Utility
So did this information work out for you?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now