Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-09-27) Password Policies And Account Lockout Policies Within An AD Domain (Part 2)

Posted by Jorge on 2010-09-27


In the previous post (part 1) I discussed how the Default Domain Policy is processed by the RWDC with the PDC FSMO role. In this post I’ll discuss some oddities that may be unknown, which depends on your experience/findings.

The following is also interesting to note. When configuring the GPO setting "Enforce password history" through a GPO editor such as the GPMC, the maximum configurable value is "24 password passwords remembered". The same applies to "Minimum password length" which has a maximum configurable value of "14 characters". However, nothing stops you from configuring any desired value (higher than the configurable one) in the corresponding attributes on the domain NC directly. Let’s try this and see what happens!

First, let’s determine the current state…

In the Default Domain Policy GPO:

image

In the GPMC Settings Report for the Default Domain Policy GPO:

image

On the domain NC:

image

You can already see that I changed the value for "Enforce password history" to 33. Now in addition let’s change the following value by editing the attribute directly on the domain NC:

  • Minimum password length: 25

Of course you can use the attribute editor in ADUC (W2K8 and higher, with advanced features enabled), but you can also use PSOMGR from joeware.net.

The command line to do that is: PSOMGR /MOD /DOMPOL /PWDLEN 25 /FORREAL

image

The tool just updated the "Min Pwd Length" value from 13 to 25.

Now let’s have a look at GPMC Settings Report for the Default Domain Policy GPO:

image

The "Minimum password length" is now 25 characters.

Now let’s have a look at the Default Domain Policy GPO:

image

The "Minimum password length" is now 25 characters.

Let’s double-click on "Enforce password history"

image

Although it has been configured with a value of 33, the GUI just shows 24, which is the maximum configurable value through the GUI.

Let’s double-click on "Minimum password length"

image

Although it has been configured with a value of 25, the GUI just shows 14, which is the maximum configurable value through the GUI.

As you can see, it is easy to configure a higher value if you need to have one.

BUT WAIT!!!

What happened here? Let’s go back… Both the attributes "pwdHistoryLength" and "minPwdLength" were edited directly on the domain NC (OK, through a command line tool), but for sure not using the GPMC GUI. The values were definitely not configured by me in the Default Domain Policy GPO! Remember me telling you that only the RWDC with the PDC FSMO processed the password and account lockout settings to write those on the domain NC? Well, the same process on the RWDC with the PDC FSMO role checks for direct changes on the domain NC with regards to the password and account lockout settings and writes those changes back into the Default Domain Policy GPO. Even if multiple GPOs are linked to the domain object, the info is still written back to the Default Domain Policy GPO!

Now think about the following: "how useful is it to have another (custom) GPO linked to the domain object with password and account lockout settings?"

My personal answer to that question is: "Not useful, because the password and account lockout settings in time will end up in the default domain policy. So you might as well define the password and account lockout settings right away in the default domain policy GPO".

Additional Reading/Information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

3 Responses to “(2010-09-27) Password Policies And Account Lockout Policies Within An AD Domain (Part 2)”

  1. i can just say, i love it
    i love this great blog and this great MVP man.

    thanks again
    regards

  2. […] For the password policy and account lockout policy settings still use the “Default Domain Policy” GPO. The reason for that is described in “(2010-09-27) Password Policies And Account Lockout Policies Within An AD Domain (Part 1)” and in “(2010-09-27) Password Policies And Account Lockout Policies Within An AD Domain (Part 2)” […]

  3. Paul Bergson said

    Jorge is brilliant and look to his Blog when I have a problem I can’t seem to determine

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: