Chapter 9. Fine-Grained Password Policies
Undoubtedly, one of the most exciting new features in Windows Server 2008 Active Directory is the introduction of a feature called fine-grained password policies (FGPPs). Prior to FGPPs, domain account policies (password and lockout policies, specifically) could only be set on a per-domain basis. If you had a requirement to have separate password-complexity requirements for two sets of users, you could either deploy a third-party password filter or deploy a second domain. Fine-grained password policies solve both of these issues within a single domain and are immediately available once your domain is running at Windows Server 2008 domain functional level.
Understanding Password Setting Objects
Fine-grained password policies you create are represented by Password Setting Objects (PSOs) within Active Directory. PSOs are standard Active Directory objects and are stored under the System container in the domain partition.
Fine-grained password policies functionality is new to Windows Server 2008 and, as such, Windows Server 2003 and earlier versions of Windows domain controllers are not capable of enforcing the functionality. FGPPs become available once the domain has been promoted to Windows Server 2008 Domain Functional Level. While you can create and manage PSOs before your domain is running at the Windows 2008 Domain Functional Level, the policies will have no effect on users.
Unfortunately, Microsoft did not include a dedicated toolset to manage ...
Get Active Directory, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
