One of the major new features in the upcoming Windows Server 2008 (aka Longhorn) are granular password policies. The feature allows you to have multiple password policies within a single AD domain and thus be able to better fine-tune the security in your organization.
You can find pretty good write-ups about the feature and using ADSIedit to manage it at 4sysops and Ulf’s blog. However, as Richard pointed recently, using PowerShell to manage them is so much easier than ADSIEdit, so here’s a transcript of me experimenting with the policies in my Longhorn (Beta 3) lab (using AD cmdlets 1.0.3):
PS C:\> # Get the list of all password policies in the domain
PS C:\> Get-QADPasswordSettingsObject
Name Type DN---- ---- --new pso msDS-PasswordSe... CN=new pso,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsftPSO2 msDS-PasswordSe... CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft
PS C:\> # Let's see all settings of a particular policy
PS C:\> Get-QADPasswordSettingsObject pso | Format-List
AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}CanonicalName : cow.spb.qsft/System/Password Settings Container/PSO2CreationDate : 5/16/2007 4:50:29 PMDescription :DisplayName :DN : CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsftGuid : 59632928-e3ff-4ced-afbf-c99ba2b60a8dLockoutDuration : -00:30:00LockoutThreshold : 0MaximumPasswordAge : -20.00:00:00MinimumPasswordAge : -1.00:00:00MinimumPasswordLength : 8ModificationDate : 6/18/2007 11:03:13 AMName : PSO2PasswordComplexityEnabled : TruePasswordHistoryLength : 24Precedence : 10ResetLockoutCounterAfter : -00:30:00ReversibleEncryptionEnabled : FalseType : msDS-PasswordSettings
PS C:\> # Create a new policy, set a few attributes and leave the rest default
PS C:\> New-QADPasswordSettingsObject -Name BeatlesPolicy -Precedence 5 -PasswordHistoryLength 10 -PasswordComplexityEnabled $true
Name Type DN---- ---- --BeatlesPolicy msDS-PasswordSe... CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft
PS C:\> # See the properties of the new policy
PS C:\> Get-QADPasswordSettingsObject BeatlesPolicy | Format-List
AppliesTo :CanonicalName : cow.spb.qsft/System/Password Settings Container/BeatlesPolicyCreationDate : 6/18/2007 11:41:17 AMDescription :DisplayName :DN : CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsftGuid : c76a72fd-6612-4647-b279-b42cf648e4ebLockoutDuration : -00:30:00LockoutThreshold : 5MaximumPasswordAge : -42.00:00:00MinimumPasswordAge : -30.00:00:00MinimumPasswordLength : 0ModificationDate : 6/18/2007 11:41:17 AMName : BeatlesPolicyPasswordComplexityEnabled : TruePasswordHistoryLength : 10Precedence : 5ResetLockoutCounterAfter : -00:30:00ReversibleEncryptionEnabled : FalseType : msDS-PasswordSettings
PS C:\> # Link the policy to the COW\Beatles group
PS C:\> Add-QADPasswordSettingsObjectAppliesTo BeatlesPolicy -AppliesTo COW\Beatles
Name Type DN---- ---- --BeatlesPolicy msDS-PasswordSe... CN=BeatlesPolicy,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft
PS C:\> # See where are all the polies linked now
PS C:\> Get-QADPasswordSettingsObject | Format-List Name, AppliesTo
Name : new psoAppliesTo : {CN=Kelly Smith,CN=Users,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}Name : PSO2AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}Name : BeatlesPolicyAppliesTo : {CN=Beatles,CN=Users,DC=cow,DC=spb,DC=qsft}
PS C:\> # Check resultant policy for user jlennon (note that the Beatles policy got applied via group membership)
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo
Name msDS-ResultantPSO---- -----------------John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...
PS C:\> # Check resultant policy for user jlennon (note that the Beatles policy got applied via group membership)
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo
Name msDS-ResultantPSO---- -----------------John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...
PS C:\> # Check the resultant policy and note that the one linked directly won
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo
Name msDS-ResultantPSO---- -----------------John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...
PS C:\> # Check where the policy is applied
PS C:\> Get-QADPasswordSettingsObject PSO2 | Format-List Name, AppliesTo
Name : PSO2AppliesTo : {CN=Haruki.Murakami,OU=Demo,DC=cow,DC=spb,DC=qsft, CN=Event Log Readers,CN=Builtin,DC=cow,DC=spb,DC=qsft}
PS C:\> # Unlink the policy
PS C:\> Remove-QADPasswordSettingsObjectAppliesTo PSO2 -AppliesTo COW\jlennon
Name Type DN---- ---- --PSO2 msDS-PasswordSe... CN=PSO2,CN=Password Settings Container,CN=System,DC=cow,DC=spb,DC=qsft
PS C:\> # Resultant policy changed back to the group one
PS C:\> Get-QADUser jlennon -IncludedProperties Msds-ResultantPSo | Format-Table Name, Msds-ResultantPSo
Name msDS-ResultantPSO---- -----------------John Lennon CN=BeatlesPolicy,CN=Password Settings Container,CN=Syste...
PS C:\> # Remove the policy from the directory
PS C:\> Remove-QADObject BeatlesPolicy
Warning!
Are you sure you want to delete this object: CN=BeatlesPolicy,CN=Password Settings
Container,CN=System,DC=cow,DC=spb,DC=qsft?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
Windows Server 2008 and PowerShell – are better together! 😉
Here’s the fine-grained-passwords-demo.txt file with the commands in case you want to have fun with them yourself (just change the domain name, etc. to match your lab)
Tags:AD cmdlets, Password management, Windows Server 2008, cmdlets, oneliner, one-liner, Longhorn, AD, Active Directory, PowerShell, Demo
Subscribe by email
Dmitry's Blog: Cloud, PowerShell and beyond 