HowTo: Create Custom Active Directory Password Policies on an Individual OU

If you’re having issues setting up a GPO for custom password requirements on an OU (Organizational Unit), you’re not alone.  Part of the problem is the Default Domain Policy takes precedence over other GPO’s even if you turn inheritance off for the OU you want to apply the custom password requirements on.  To make this work, you need to create a PSO (Password Settings Objects).  This is fairly simple and I’ll walk you through the process.

I’m giving this 4 out of 5 stars for difficulty.  Its not that it’s difficult, it’s that anytime you’re working in ADSI you have the opportunity to break things.  Also, I’m doing this on Server 2012R2.  I’ve verified this works on 2012 and have been told it works on 2008 & 2008R2, but haven’t verified this myself.  Sorry to all those running 2003 and older, I’m past that point in my life.  Time to upgrade ya’ll!

Possible reasons for wanting to do this:

1. You want new users to log in the first time using the last 4 of their social security number before they’re required to change it to something else. You can create the account, add it to the PSO security group, set the 4 digit ssn password and remove them from the group.
2. You have a disabled user that has a hard time utilizing complex passwords, eg. holding shift down to capitalize a letter, or typing symbols

GETTING STARTED 

Part 1

1.  Open Active Directory Users and Computers, choose which folder you want to create the Global Security Group in.
2. Right-Click on the Folder, go to New, then select Group.
3. Group Name: PSO, Group Scope: Global, Group Type: Security, then click OK.

Part 2

There are a few ways to do this next part.  You can do it through Powershell, ADSI, or ldifde.  I’m going to do this walkthrough using ADSI.

1. Click Start, click Run, type adsiedit.msc and then click OK.
2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.
3. In Name, type the fully qualified domain name of the domain in which you want to create the PSO, under Connection Point, choose Select a well known Naming Context:,  select Default naming context from the drop-down and then click OK.
4. Double-Click the domain to expand it out.
5. Double-click DC=<domain_name>.
6. Double-click CN=System.
7. Click CN=Password Settings Container.
   • If there are any other PSO’s in the selected domain they’ll appear.
8. Right-click CN=Password Settings Container, click New, and then click Object.
9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.
10. In Value, type the name of the new PSO, and then click Next.
11. Continue with the Wizard, and enter appropriate values for all mustHave attributes.
    • To disable account lockout policies, assign the msDS-LockoutThreshold attribute the value of 0.

     

    Attribute Name	Description	Accepted Value Range	Example Value
    msDS-PasswordSettingsPrecedence	Password Settings Precedence	Greater than 0	10
    msDS-PasswordReversibleEncryptionEnabled	Password reversible encryption status for user accounts	FALSE / TRUE (Recommended: FALSE)	FALSE
    msDS-PasswordHistoryLength	Password History Length for user accounts	30 through 1024	24
    msDS-PasswordComplexityEnabled	Password complexity status for user accounts	FALSE / TRUE (Recommended: TRUE)	TRUE
    msDS-MinimumPasswordLength	Minimum Password Length for user accounts	0 through 255	8
    msDS-MinimumPasswordAge	Minimum Password Age for user accounts	(None) 00:00:00:00 through msDS-MaximumPasswordAge value	1:00:00:00 (1 day)
    msDS-MaximumPasswordAge	Maximum Password Age for user accounts (Never)	(Never) To set the time to (never), set the value to -9223372036854775808. msDS-MinimumPasswordAge value through (Never) msDS-MaximumPasswordAge cannot be set to zero	42:00:00:00 (42 days)
    msDS-LockoutThreshold	Lockout threshold for lockout of user accounts	0 through 65535	10
    msDS-LockoutObservationWindow	Observation Window for lockout of user accounts	(None) 00:00:00:01 through msDS-LockoutDuration value	0:00:30:00 (30 minutes)
    msDS-LockoutDuration	Lockout duration for locked out user accounts	(None) (Never) msDS-LockoutObservationWindow value through (Never)	0:00:30:00 (30 minutes)
    msDS-PSOAppliesTo	Links to objects that this password settings object applies to (forward link)	0 or more DNs of users or global security groups	“CN=u1,CN=Users,DC=DC1,DC=contoso,DC=com”   Choose the group we created in Step 1.  Right-click the group we created and click Properties. Go to the Attribute Editor tab. Click distinguishedName, then click View.  Copy that field.  It will save you time and limit the chance of typos

12. On the last screen of the wizard, click More Attributes. THIS IS VERY IMPORTANT.  IF YOU SKIP THIS PART, YOU WILL GET AN ERROR AND IT WILL FAIL.
13. On the Select which property to view menu, click Optional or Both.
14. In the Select a property to view drop-down list, select msDS-PSOAppliesTo.
15. In Edit Attribute, add the distinguished names of users or global security groups that the PSO is to be applied to, and then click Add.
16. Repeat step 15 to apply the PSO to more users or global security groups.
17. Click Finish.

About The Author

Marcuzio

See author's posts