02 - Lab 04

Fine-grained password and lockout policies

Configuring PSOs by using Windows PowerShell
you can use the following cmdlets in the Active Directory module for Windows PowerShell to
create and manage PSOs in your domain:
• New-ADFineGrainedPasswordPolicy . This cmdlet creates a new PSO and defines its
parameters.

New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -

LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -
LockoutThreshold:"0" -MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -
MinPasswordLength:"7" -PasswordHistoryCount:"24" -Precedence:"1" -
ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true

(command has no output)

We can verify it was created by using :

Get-ADFineGrainedPasswordPolicy -Filter *

Now we link this PSO to accounting global group. using cmdlet:

Add-FineGrainedPasswordPolicySubject .
This cmdlet enables you to link a user or group to an existing PSO :
 Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects accounting

(command has no output)

We can verify it was linked by using the same command; the attribute "AppliesTo" is now
populated:

Get-ADFineGrainedPasswordPolicy -Filter *

To delete a PSO using PowerShell, you can use :

Remove-ADFineGrainedPasswordPolicy -Identity TestPswd

If you get a permission error (Access Denied) like bellow :

you have to unset the protection of deletion by using :

Get-ADObject -Filter {Name -eq "TestPswd"} | Set-ADObject -

ProtectedFromAccidentalDeletion $false

Then you can retry :

Configuring PSOs by using Active Directory
Administrative Center
To manage PSOs in the Active Directory Administrative Center, follow this procedure:

1. Open Active Directory Administrative Center.

2. Click Manage, click Add Navigation Nodes, in the Add Navigation Node dialog box,
select the appropriate target domain, and then click OK.
3. In the Active Directory Administrative Center navigation pane, open the System
container, and then click Password Settings Container.
4. In the Tasks pane, click New, and then click Password Settings.
5. Configure the settings for the new PSO.
6. Under Directly Applies To, click Add, type accounting, and then click OK.
This associates the Password Policy object with the members of the global group that
you created for the test environment.
7. Click OK to submit the creation of the PSO.
8. Note: The Active Directory Administrative Center interface for PSO management uses
the Windows PowerShell cmdlets mentioned previously to carry out the creation and
management of PSOs.

Steps :

In Server manager, click on "AD DS", right click on "DC01" then click on "Active Directory
Administrative Center"

click on "PROIT (local)" then "System" and "Password Settings Container"

Now, on the right pane, in Tasks, click on "New", then "Password Settings"

Configure setting as you wish

Then assign/link the PSO to account group, by going to "Directly Applies To" group of
controls, click on "Add", input "accounting" in search filed, then "Check Names" and finally
click on "OK"
The accounting group will be listed

once done, click on OK to submit the creation of the PSO.

To modify the PSO, double click on its name, or right click on the PSO then select
"Properties". We will disable "accidental deletion" protection :
Clear this box then click on "OK"

Now you can delete the PSO, either by

right clicking the target PSO then selecting "Delete"

selecting the PSO and clicking on "Delete" in Tasks list on the right side of the console.

Confirm Deletion.
Done.

Configuring a fine-grained password policy

In Active Directory Administrative Center, configure a fine-grained password policy for the
Managers group with the following settings:
• Name: ManagersPSO
• Precedence: 10
• Password length: 15 characters
• Password history: 20 passwords
• Complexity enabled: Yes
• Minimum password age: 1 day
• Maximum password age: 30 days
• Number of failed logon attempts allowed: 3 attempts
• Reset failed logon attempts count after: 30 minutes
• Select Until an administrator manually unlocks the account