Solved

Question Windows 2008 Fine Grain Password Policies

Posted on 2010-09-10
17
1,787 Views
Last Modified: 2012-05-10
I'm creating a new fine grain password policy and have the following question.
I need to have my user accounts set to never unlock automatically so I'm setting the
msDS-LockoutDuration value to: 00:00:00:00 / If I set the msDS-LockOutDuration Windows to 00:00:00:00 does this means that a user failed login attempts would be logged over the course of months?

Isn't is recommend to set both the lockout duration and window to the same vaule so in my case, both should be zero?

Also is there graphical native reports that I can run to show all policies both GP applied and PSO that a user is processing?
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 
LVL 4

Expert Comment

by:ChandarS
ID: 33647817
Hi,

Please check he below link for deep ...

http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

Reg,
Chandar Singh
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33647921
Thanks...
I have this article I guess that I'm asking what does setting msDS-LockOutDuration Window to "0" really mean??????
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33647971
Setting the LockOutDuration to 0 means that the account will be locked until an Administrator unlocks it. The lockout counter is solely based on invalid attempts. Once they are exceeded, the account will remain locked.

Use the Group Policy Management Console for a graphical report of applied policies for specific users and computers.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 20

Author Comment

by:compdigit44
ID: 33648270
But the group policy MMC only show GP setting and not the PSO and need a report that will show both!!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648314
If you're going to do fine-grained password policies, there's only one additional configuration from a GPO. Maybe a GUI tool would be helpful, I prefer this one from Dmitry Sotnikov:

http://dmitrysotnikov.wordpress.com/2007/06/19/free-ui-console-for-fine-grained-password-policies/

Or this one has more PowerShell options, you might be able to generate a report that way:

http://blogs.chrisse.se/blogs/chrisse/archive/2007/07/14/fine-grain-password-policy-tool-beta-1-is-ready.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33648373
I'm still confused about msDs-LockOutDuration Windows: If this is set to zero is a cumulative count which will never be reset correct? What happens when the account is unlocked? Is the lockout count reset then?
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648448
msDS-LockoutObservationWindow is the counter value, the time in which a user has to fail login.

So, if you have it set to 60 minutes, and your max number of failed attempts is set to 5, a user that fails 5 times within 60 minutes will be locked. If they login successfully within that time period, the counter is reset. The idea is to set a specific number of times you can fail login within a time period.

Because of your other settings in msDS-LockoutDuration, the account will remain locked after 60 minutes, despite the lockout counter being reset.
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648459
Maybe this can help as well:

The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration. The msDS-LockoutObservationWindow determines how long the bad password counter is active. The msDS-LockoutDuration  determines how long an account stays locked out for when the bad password count threshold is reached. It is not possible to keep the bad password counter active longer than the time that the account is locked out.

From TechNet: http://technet.microsoft.com/en-us/library/cc753858%28WS.10%29.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33648800
Still confused so if my lockoutduration is 0 and lockout duration window is 0 WHAT DOES THIS MEAN !!!!!!!!!!!!!!!!!!!!!!!1
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648887
It means that your accounts will lock, and not unlock until an administrator intervenes.

The logging factors are separate values that must be configured elsewhere.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649068
so if my duration is set to 0 then the duration is a mute point??
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33649274
Yes. As the TechNet article says, "The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration."
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649294
If you implement a PSO using ADSIEDIT how do you know if the users can you be 100% sure the user are process the PSO and not the default domai policy???
0
 
LVL 7

Accepted Solution

by:
grantsewell earned 500 total points
ID: 33649463
msDS-PasswordSettingsPrecedence is an attribute that sets specific precedence over policies - the lower the number, the higher the priority.

You can verify the PSO that is ultimately applied to the user by querying the msDS-ResultantPso user attribute.

Please, read the TechNet references thoroughly! This is all explained in there: http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649569
I know about the msDS-ResultantPso user attribute.
 but I didn't know if their was a way to be 110% certain..

in other words I'm worried that even if my msDS-ResultantPso user attribute.
feid is showing that a PSO is being applied to a user in may not accutally be working
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33649588
I have never heard of issues with the msDS-ResultantPso. I suggest testing after moving users between groups and verifying that it works properly. There's only so much you can do.

Good luck!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33651782
So did this information work out for you?
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question