Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-09-27) Password Policies And Account Lockout Policies Within An AD Domain (Part 1)

Posted by Jorge on 2010-09-27


Within an AD domain, using any version of Windows available right now, it is possible to define a password and account lockout policy at domain level. If you are using W2K8 DCs at DFL "Windows Server 2008" or higher then you can implement multiple password and lockout policies through the usage of Password Settings Objects (PSO).

For more detailed information about this a reference is made to the following links:

The default domain GPO and the PSO offer the same functionality, although both are implemented in different ways. Unlike your expectation, this post will not focus on PSOs. It will rather focus on how the default domain GPO implements password and account lockout policies.

The table below lists the settings that are available for password and account lockout policies, including the corresponding attributes on the domain naming context.



GPO Setting

Sample Data

Attribute On Domain NC

Sample Data

Password Policy

Enforce password history

23 passwords remembered

pwdHistoryLength

23

Maximum password age

87 days

maxPwdAge

87:00:00:00

Minimum password age

37 days

minPwdAge

37:00:00:00

Minimum password length

13 characters

minPwdLength

13

Password must meet complexity requirements

Enabled

pwdProperties

0x1 (HEX, DEC=1)

Store passwords using reversible encryption

Enabled

pwdProperties

0x10 (HEX, DEC=16)

Account Lockout Policy

Account lockout duration

10 minutes

lockoutDuration

0:00:10:00

Account lockout threshold

15 invalid logon attempts

lockoutThreshold

15

Reset account lockout counter after

10 minutes

lockOutObservationWindow

0:00:10:00

REMARK: These values *are NOT* best practices. These values just serve as sample data!!!

 

Every GPO, and therefore the GPO settings in it, are processed by every computer or user that fall within the scope of management of the GPO. There is an exception to this though. The Password Policy Settings and the Account Lockout Policy Settings are only processed by the PDC FSMO within any AD domain. Other DCs do not process these settings!

Only the PDC FSMO reads these settings (Password Policy Settings and the Account Lockout Policy Settings) and writes the values to the corresponding attributes on the domain NC. These changes then replicate to other DCs using regular AD replication. Every DC then uses the value in the attributes on the domain NC in the local database instance (NTDS.DIT) and enforces those when a user configures a password on a user account.

If other DCs in the AD domain were to process these settings too and write the values to the corresponding attributes on the domain NC, then you would get a lot of unneccessary AD replication.

So, summarizing, all Password Policy Settings and the Account Lockout Policy Settings that are defined in a GPO that is linked to the domain object, will be written to the corresponding attributes on the domain NC. The mapping of the GPO settings and attributes can be found in the table above.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

2 Responses to “(2010-09-27) Password Policies And Account Lockout Policies Within An AD Domain (Part 1)”

  1. […] the previous post (part 1) I discussed how the Default Domain Policy is processed by the RWDC with the PDC FSMO role. In this […]

  2. […] settings still use the “Default Domain Policy” GPO. The reason for that is described in “(2010-09-27) Password Policies And Account Lockout Policies Within An AD Domain (Part 1)” and in “(2010-09-27) Password Policies And Account Lockout Policies Within An AD Domain (Part […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: