Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Question Windows 2008 Fine Grain Password Policies

Posted on 2010-09-10
17
Medium Priority
?
1,872 Views
Last Modified: 2012-05-10
I'm creating a new fine grain password policy and have the following question.
I need to have my user accounts set to never unlock automatically so I'm setting the
msDS-LockoutDuration value to: 00:00:00:00 / If I set the msDS-LockOutDuration Windows to 00:00:00:00 does this means that a user failed login attempts would be logged over the course of months?

Isn't is recommend to set both the lockout duration and window to the same vaule so in my case, both should be zero?

Also is there graphical native reports that I can run to show all policies both GP applied and PSO that a user is processing?
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 
LVL 4

Expert Comment

by:ChandarS
ID: 33647817
Hi,

Please check he below link for deep ...

http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx

Reg,
Chandar Singh
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33647921
Thanks...
I have this article I guess that I'm asking what does setting msDS-LockOutDuration Window to "0" really mean??????
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33647971
Setting the LockOutDuration to 0 means that the account will be locked until an Administrator unlocks it. The lockout counter is solely based on invalid attempts. Once they are exceeded, the account will remain locked.

Use the Group Policy Management Console for a graphical report of applied policies for specific users and computers.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 20

Author Comment

by:compdigit44
ID: 33648270
But the group policy MMC only show GP setting and not the PSO and need a report that will show both!!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648314
If you're going to do fine-grained password policies, there's only one additional configuration from a GPO. Maybe a GUI tool would be helpful, I prefer this one from Dmitry Sotnikov:

http://dmitrysotnikov.wordpress.com/2007/06/19/free-ui-console-for-fine-grained-password-policies/

Or this one has more PowerShell options, you might be able to generate a report that way:

http://blogs.chrisse.se/blogs/chrisse/archive/2007/07/14/fine-grain-password-policy-tool-beta-1-is-ready.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33648373
I'm still confused about msDs-LockOutDuration Windows: If this is set to zero is a cumulative count which will never be reset correct? What happens when the account is unlocked? Is the lockout count reset then?
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648448
msDS-LockoutObservationWindow is the counter value, the time in which a user has to fail login.

So, if you have it set to 60 minutes, and your max number of failed attempts is set to 5, a user that fails 5 times within 60 minutes will be locked. If they login successfully within that time period, the counter is reset. The idea is to set a specific number of times you can fail login within a time period.

Because of your other settings in msDS-LockoutDuration, the account will remain locked after 60 minutes, despite the lockout counter being reset.
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648459
Maybe this can help as well:

The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration. The msDS-LockoutObservationWindow determines how long the bad password counter is active. The msDS-LockoutDuration  determines how long an account stays locked out for when the bad password count threshold is reached. It is not possible to keep the bad password counter active longer than the time that the account is locked out.

From TechNet: http://technet.microsoft.com/en-us/library/cc753858%28WS.10%29.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33648800
Still confused so if my lockoutduration is 0 and lockout duration window is 0 WHAT DOES THIS MEAN !!!!!!!!!!!!!!!!!!!!!!!1
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33648887
It means that your accounts will lock, and not unlock until an administrator intervenes.

The logging factors are separate values that must be configured elsewhere.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649068
so if my duration is set to 0 then the duration is a mute point??
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33649274
Yes. As the TechNet article says, "The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration."
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649294
If you implement a PSO using ADSIEDIT how do you know if the users can you be 100% sure the user are process the PSO and not the default domai policy???
0
 
LVL 7

Accepted Solution

by:
grantsewell earned 2000 total points
ID: 33649463
msDS-PasswordSettingsPrecedence is an attribute that sets specific precedence over policies - the lower the number, the higher the priority.

You can verify the PSO that is ultimately applied to the user by querying the msDS-ResultantPso user attribute.

Please, read the TechNet references thoroughly! This is all explained in there: http://technet.microsoft.com/en-us/library/cc770394%28WS.10%29.aspx
0
 
LVL 20

Author Comment

by:compdigit44
ID: 33649569
I know about the msDS-ResultantPso user attribute.
 but I didn't know if their was a way to be 110% certain..

in other words I'm worried that even if my msDS-ResultantPso user attribute.
feid is showing that a PSO is being applied to a user in may not accutally be working
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33649588
I have never heard of issues with the msDS-ResultantPso. I suggest testing after moving users between groups and verifying that it works properly. There's only so much you can do.

Good luck!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33651782
So did this information work out for you?
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question