Fine-Grained Password Policies

 
 

What Are Fine-Grained Passwords ?

 
Windows Server 2008 introduced a way to create a more detailed (fine-grained) password policies that can be applied at a group or individual user level.   When this feature is implemented, the password policies are created as a new Active Directory object called a 'Password Settings Objects', referred to as a PSO in this topic.
 
When a PSO is applied to a user or a group, the password settings in the PSO (ie password length, complexity, etc.) override the setting for the default domain password policy.  By applying a PSO to a group, all users in the group are essentially assigned to the PSO.
 
Users and groups can also be assigned to multiple PSOs.  Active Directory will automatically apply the PSO with the highest priority setting, which is one of the user-controllable settings in the PSO properties.  The Microsoft documentation on PSOs is complete and thorough, however, the built-in Active Directory management tools lack any GUI mechanism to add or manage PSOs.  Worse, there isn't any easy way to determine which PSO is active at any given time for a user.  
 
Hyena provides new functionality to simplify the creation and management of PSOs.  Even so, its helpful to review the Microsoft documentation to have an understanding of the underlying Active Directory mechanisms involved.  After reviewing this documentation, continue reading this help topic to see how Hyena simplifies this complex process.
 
Microsoft's PSO documentation can be found here:
 

http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

 

While the Microsoft documentation covers the details, a more visual guide can be found on WindowsSecurity.com.

 

Viewing PSOs

 

The Windows 2008 Active Directory contains a new object called the 'Password Settings Container', which is used as the parent container for all PSOs. The Password Settings Container can be found under the 'System' container in the directory OU structure.  To navigate to this container, expand the domain in Hyena's left window, then expand the Containers/OUs object, then the System container.  Expand the 'Password Settings Container', or double-click it to view the contents.  Optionally, a custom AD query can be designed to show relevant attributes.  See the Using Active Directory Queries and View topic for more information on creating custom queries.

 

Individual PSOs can be viewed in either the left tree window or the right window in Hyena.

 

Adding and Modifying PSO Settings

 

Creating a new PSO

 

To create a new PSO, right click on the 'Password Settings Container', and select 'Create New PSO Object'.

 

See the above-referenced articles on documentation for the specific AD attribute settings when creating a PSO.

 

Some of the PSO attributes are time-related and stored in AD as time intervals of 100 nanoseconds. Due to how this storage is implemented, the values are also always negative. Microsoft's 'Appendix B' in the above-referenced Technet article provides these values for intervals in minutes, hours, and days:

 

1 minute = -60* (10^7) = -600,000,000

1 hour = -60*60* (10^7) = -36,000,000,000

1 day = -24*60*60* (10^7) = -864,000,000,000

 

In the calculations above, 10^7 is used to represent 10 to the 7th power (10 followed by 7 zeros). This value is the number of 100-nanosecond intervals in 1 second.

 

Hyena will automatically attempt to convert any PSO time-values into a more friendly day/hour/minute display format. However, since Microsoft never developed an interface for PSO management, it is possible that other odd values may have been used for PSO time values. If these are encountered, Hyena will display the raw values found in these attributes.

 

To set any of the PSO time values, simply click the 'Set' button next to any time value, and enter in the number of days, hours, or minutes desired. If a specific 100-nanosecond interval is needed, it can be directly entered as well.

 

Modifying PSO Properties

 

To modify the properties of a PSO, either double-click on the PSO in either of Hyena's windows, or right click and select 'Properties...'.

 

Assigning a PSO to Directory Objects

 

Before a PSO can have any effect, it must be assigned to one or more directory objects. PSOs can only be assigned to an Active Directory user or global security group. Hyena supports two methods of assigning a PSO to a user or global security group:

 

Assignment Through the PSO - Use the 'Applies To' tab on the PSO Properties dialog to modify the user and/or global groups that the PSO is assigned to.

 

One or more DNs can also be manually entered or pasted from another source and added by clicking the 'Add DNs' button. To add multiple DNs at the same time, separate them with the '^' character.

 

Assignment Through the User/Group Object - Hyena also lets you assign the PSO directly to the user or group, much in the same way as users can be assigned to groups, or groups can be assigned to users: you decide which way to manage your directory.

 

Select the 'Manage Password Settings' option on the user 'Account Functions' context menu, or directly on the group's context menu. Hyena will display all PSOs that have been assigned to the directory object, including the active (resultant) PSO. Use the 'Add PSO...' or 'Remove' options to modify the PSOs assigned to the object.

 

Due to the background processing performed in Active Directory when a PSO assignment is changed (ie a PSO is added or removed from a user or group object), it may take a few seconds for a PSO modification to take affect. When a PSO is added, removed, or modified, Hyena will automatically reload the resultant and currently applied PSO settings for the directory object. However, if the change is not immediately apparent, the Refresh button can be clicked to force a re-retrieval of the PSO settings.