Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-12-02) The Long Awaited GUI For Password Settings Objects Is Here!

Posted by Jorge on 2011-12-02


Since Windows Server 2008 it is possible to have multiple Password and Account Lockout Policies within a single AD domain. This cool feature is explained in the post “(2007-08-09) Windows Server 2008 – Fine-Grained Password Policies”. Although the feature is available there is no nice GUI provided by the OS to manage Password Settings Objects (PSO). The only GUI available would be ADSIEDIT, if you call that a GUI. Personally I call that an LDAP editor. The post “(2007-08-09) Windows Server 2008 – Fine-Grained Password Policies” also mentions free third-party tools to manage PSO using a GUI or from the command line. Because you can have multiple PSOs configured and at the same time it is also possible for multiple PSO to target a single AD user account it is also important to quickly determine which PSO will be in effect for that AD user account. Again, there was no default function available through default GUI to determine the effective or resultant PSO. In this case you could either use the Attribute Editor or ADSIEDIT as your GUI. In the post “(2007-09-11) Determining The Effective PSO For A User” I explain how you could add a function to Active Directory Users And Computers (ADUC) to determine the resultant PSO and view its settings at the same time.

Now, as you may know, Microsoft is working hard on Windows 8, the next client and server operating system. Believe it or not, but the RSAT tools in this OS bring you a GUI to manage PSOs easily and also a function to determine the resultant PSO of an AD user account. In addition to that you also get PowerShell CMDLets (already introduced in W2K8R2) to manage PSOs through the command line. Isn’t that cool!?!?.

To see which PowerShell CMDlets are available open a Powershell Prompt Window and execute the following command (without the quotes): “Get-Command *AD*PasswordPolicy* | Select Name” as you can see below.

image

Figure 1: PowerShell CMDlets Available To Manage PSOs (Already Introduced In W2K8R2)

PowerShell CMDlets to manage PSOs:

The unfortunate part is that the GUI to manage PSOs is only exposed through Active Directory Administration Center (ADAC) and not through Active Directory Users And Computers (ADUC). If you are already using ADAC then you are good to go, but if you are still using ADUC you are not that fortunate and additional stuff and configurations are needed. It is not possible to create a PSO through ADUC. For that you need to either use ADAC or some other tool. To manage other aspects of PSOs (delete and modify) you can either use ADUC or the attribute editor within ADUC. To determine the effective PSO for an AD user account within ADUC, you either need to use the attribute editor or adjust the administration context menu for user objects as shown in the post “(2007-09-11) Determining The Effective PSO For A User”. Instead of using the PSOMGR tool from JOEWARE.NET, you could now use a PowerShell script that calls the “Get-ADUserResultantPasswordPolicy” CMDlet to determine the resultant PSO.

ADAC is a cool tool and if you do not use it already have a look at the following blog post from the ASKDS guys at Microsoft about the ADAC and its interesting features: “Fun with the AD Administrative Center

image

Figure 2: Navigating To The Password Settings Container Within ADAC

After navigating to the Password Settings Container you can see the PSO already available within the selected AD domain. By default no PSO exists, and therefore you need to create them yourself. The picture below shows all the PSO I have configured in my test environment. If you want to create a new PSO then select the “New” task in the right pane and after that select “Password Settings”.

image

Figure 3: Using ADAC To View The Configured Password Settings Objects Within The Selected AD Domain

When creating a new PSO, it is pre-configured with default settings as shown in the picture below. You of course MUST evaluate if the pre-configured settings need to be adjusted to your needs or not. Another setting worth to mention is that when you create a new PSO in ADAC in Windows 8, the PSO by default will be configured with “Protect From Accidental Deletion”. That setting will not allow you to delete the object intentionally or unintentionally. So, before deleting the PSO, you need to uncheck that setting!

image

Figure 4: The Default Settings When Creating A New PSO Through ADAC In Windows 8

My custom PSOs as shown in figure 3 were create through the PSOMGR tool from JOEWARE.NET. The configuration of one of those PSOs is shown in the picture below. As you can see the option “Protect From Accidental Deletion” has not been configured automatically by that tool.

Please note, that the settings shown are in no way to be considered as best practice settings for PSOs for any purpose! This is just for me to use in a TEST environment!

image

Figure 5: Configured Settings For A Custom PSO Created Through PSOMGR tool from JOEWARE.NET

Now to determine the resultant PSO for any given AD user account you just need to select an AD user account as shown in the picture below. As soon as you select an AD user account, the right pane immediately shows the available actions for that object that are exactly the same when you would right-click the AD user account. Selecting the action “View resultant password settings…” will tell you which PSO has an effect on that specific AD user account.

image

Figure 6: Determining The Resultant PSO For Any Given AD User Account

The system does not only tell which PSO is in effect for the selected AD user account, it will also show you the settings of the PSO that has an effect on that AD user account. The picture below shows the settings of the PSO that has an effect on the selected AD user account in figure 6.

Please note, that the settings shown are in no way to be considered as best practice settings for PSOs for any purpose! This is just for me to use in a TEST environment!

image

Figure 7: The Settings Of The PSO That Has An Effect On The AD User Account Selected In Figure 6

Have fun!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: