Home » Active Directory » HowTo: Create Custom Active Directory Password Policies on an Individual OU

HowTo: Create Custom Active Directory Password Policies on an Individual OU

Difficulty Level    

If you’re having issues setting up a GPO for custom password requirements on an OU (Organizational Unit), you’re not alone.  Part of the problem is the Default Domain Policy takes precedence over other GPO’s even if you turn inheritance off for the OU you want to apply the custom password requirements on.  To make this work, you need to create a PSO (Password Settings Objects).  This is fairly simple and I’ll walk you through the process.

I’m giving this 4 out of 5 stars for difficulty.  Its not that it’s difficult, it’s that anytime you’re working in ADSI you have the opportunity to break things.  Also, I’m doing this on Server 2012R2.  I’ve verified this works on 2012 and have been told it works on 2008 & 2008R2, but haven’t verified this myself.  Sorry to all those running 2003 and older, I’m past that point in my life.  Time to upgrade ya’ll!

Possible reasons for wanting to do this:

  1. You want new users to log in the first time using the last 4 of their social security number before they’re required to change it to something else. You can create the account, add it to the PSO security group, set the 4 digit ssn password and remove them from the group.
  2. You have a disabled user that has a hard time utilizing complex passwords, eg. holding shift down to capitalize a letter, or typing symbols

GETTING STARTED 

Part 1

  1.  Open Active Directory Users and Computers, choose which folder you want to create the Global Security Group in.
  2. Right-Click on the Folder, go to New, then select Group.
  3. Group Name: PSO, Group Scope: Global, Group Type: Security, then click OK.

Part 2

There are a few ways to do this next part.  You can do it through Powershell, ADSI, or ldifde.  I’m going to do this walkthrough using ADSI.

  1. Click Start, click Run, type adsiedit.msc and then click OK.
  2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.
  3. In Name, type the fully qualified domain name of the domain in which you want to create the PSO, under Connection Point, choose Select a well known Naming Context:,  select Default naming context from the drop-down and then click OK.
  4. Double-Click the domain to expand it out.
  5. Double-click DC=<domain_name>.
  6. Double-click CN=System.
  7. Click CN=Password Settings Container.
    • If there are any other PSO’s in the selected domain they’ll appear.
  8. Right-click CN=Password Settings Container, click New, and then click Object.
  9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.
  10. In Value, type the name of the new PSO, and then click Next.
  11. Continue with the Wizard, and enter appropriate values for all mustHave attributes.
      • To disable account lockout policies, assign the msDS-LockoutThreshold attribute the value of 0.

     

    Attribute Name
    Description
    Accepted Value Range
    Example Value
    msDS-PasswordSettingsPrecedence
    Password Settings Precedence
    Greater than 0
    10
    msDS-PasswordReversibleEncryptionEnabled
    Password reversible encryption status for user accounts
    FALSE / TRUE (Recommended: FALSE)
    FALSE
    msDS-PasswordHistoryLength
    Password History Length for user accounts
    30 through 1024
    24
    msDS-PasswordComplexityEnabled
    Password complexity status for user accounts
    FALSE / TRUE (Recommended: TRUE)
    TRUE
    msDS-MinimumPasswordLength
    Minimum Password Length for user accounts
    0 through 255
    8
    msDS-MinimumPasswordAge
    Minimum Password Age for user accounts
    (None)
    00:00:00:00 through msDS-MaximumPasswordAge value
    1:00:00:00 (1 day)
    msDS-MaximumPasswordAge
    Maximum Password Age for user accounts
    (Never)
    • (Never)
      To set the time to (never), set the value to -9223372036854775808.
    • msDS-MinimumPasswordAge value through (Never)
    • msDS-MaximumPasswordAge cannot be set to zero
    42:00:00:00 (42 days)
    msDS-LockoutThreshold
    Lockout threshold for lockout of user accounts
    0 through 65535
    10
    msDS-LockoutObservationWindow
    Observation Window for lockout of user accounts
    (None)
    00:00:00:01 through msDS-LockoutDuration value
    0:00:30:00 (30 minutes)
    msDS-LockoutDuration
    Lockout duration for locked out user accounts
    (None)
    (Never)
    msDS-LockoutObservationWindow value through (Never)
    0:00:30:00 (30 minutes)
    msDS-PSOAppliesTo
    Links to objects that this password settings object applies to (forward link)
    0 or more DNs of users or global security groups
    “CN=u1,CN=Users,DC=DC1,DC=contoso,DC=com”

     

    Choose the group we created in Step 1.  Right-click the group we created and click Properties. Go to the Attribute Editor tab. Click distinguishedName, then click View.  Copy that field.  It will save you time and limit the chance of typos
  12. On the last screen of the wizard, click More Attributes. THIS IS VERY IMPORTANT.  IF YOU SKIP THIS PART, YOU WILL GET AN ERROR AND IT WILL FAIL.
  13. On the Select which property to view menu, click Optional or Both.
  14. In the Select a property to view drop-down list, select msDS-PSOAppliesTo.
  15. In Edit Attribute, add the distinguished names of users or global security groups that the PSO is to be applied to, and then click Add.
  16. Repeat step 15 to apply the PSO to more users or global security groups.
  17. Click Finish.