o | Open your "Default naming context [domaincontroller.yourdomain.com]" |
o | Expand "DC=yourdomain,DC=com" - "CN=System" - "CN=Password Settings Container" |
o | Right click on "CN=Password Settings Container" & select "New" - "Object" |
o | Select the only class present "msDS-PasswordSettings" and click "Next" |
o | The following will be a "Wizard" to set up the initial parameters of the password policy |
| - Common-Name (CN) | Whatever you want to call the new policy |
| - msDS-PasswordSettingPrecedence | The lower the cost level, the higher the priority |
| + i.e. A policy with 10 will beat another policy assigned to the same user that has a cost of 20 |
| - msDS-PasswordReversibleEncryptionEnabled | Generally "False" |
| + Storing passwords in reversible encryption is like storing passwords in clear text, but is sometimes required for some third party apps |
| - msDS-PasswordHistoryLength | How many passwords to remember? i.e. a setting of 5 would be the last 5 passwords used are not permitted |
| - msDS-PasswordComplexityEnabled | Up to you "True" or "False" - will require a password with at least one attribute from at least three of the following areas |
| + Lower-Case |
| + Upper-Case |
| + Numerical 0 through 9 |
| + Special Character like !@#$% |
| - msDS-MinimumPasswordLength | A setting of 8 would require the password be at least 8 characters long |
| - msDS-MinimumPasswordAge | If you change your password now, how long are you required to wait before you can change it again |
| + A value of "-864000000000" would equal a 1 day wait before you could change your password again |
| + A value of "0" will set this to "None" |
| - msDS-MaximumPasswordAge | How long until you will be required to change your password again |
| + Using the above value for 1 day "-864000000000" & multiplying it by the # of days. i.e. "-864000000000" * 30 days = "-25920000000000" |
| + A value of "-9223372036854775808" will set this to "Never" - you cannot set this to "None" or "0" |
| - msDS-LockoutThreshold | How many failed attempts before locking an account - i.e. "5" continuous failed password attempts will lock the account |
| - msDS-LockoutObservationWindow | How long before the reset of the counter for a failed password attempt |
| + i.e. 10 minutes would be "-6000000000" |
| + A value of "0" will set this to "None" |
| - msDS-LockoutDuration | How long before the account will automatically unlock itself |
| + i.e. 30 minutes would be "-18000000000" |
| + A value of "0" will set this to "None" |
o | Click finish to create your policy and then right click it and select properties |
o | Click "Filter" and ensure that "Show only attributes that have values" is unchecked |
o | Look for the attribute "msDS-PSOAppliesTo" - this attribute is used to link the password policy to the security group it will apply to, edit the properties of this item and "Add Windows Account" search out your affiliated Global/Security group and add it to the list |
o | Review the other attributes set in the wizard, note that instead of those negative numbers mentioned above for the durations, you will now see them as dd:hh:mm:ss, I find it is easier to just type some random negative number during the wizard and then follow-up with the exact time after in the policy properties |