Shulou(Shulou.com)06/03 Report--

Task requirements

All user passwords in the WorldSkills2017.china domain require password complexity to be enabled except for the sales group. The length of the sales group password requires at least 3 digits.

Task analysis

The difficulty of the World Championships is still relatively large, although each topic has only a few words, but there is a huge pit hidden, this topic is typical.

In the default domain policy Default Domain Policy, password complexity has been enabled, and the topic requires a separate password policy for a group. At first, it instinctively thought of setting a separate group policy for this group, but it was found that if you use group policy, you will not be able to accomplish this task.

It took Baidu a while to know that, starting from the Windows Server 2008 system, the concept of multiple password policy (Fine-Grained Password Policy) was introduced into the domain, which allows different password policies to be applied to different users or global security groups, and this is the correct key to solve this problem.

In systems prior to Windows Server 2008, password policies could only be assigned to domains or sites and could not be applied to objects in the active Directory alone. In other words, password policies work at the domain level, and there can be only one set of password policies for a domain. Although the unified password policy greatly improves the security, it increases the complexity of domain users. For example, enterprise administrators have high security requirements for their accounts and require strong policies, such as passwords that need to be of a certain length, need to be changed every two weeks, and cannot be used several times; but ordinary domain users do not need such a high password policy, nor do they want to change passwords or use long passwords frequently, which is not suitable for them.

In order to solve this problem, multi-password policy is introduced into Windows Server 2008 to meet the different security requirements of different users.

Multiple password policy deployment requires the following:

a. The domain function level must be raised above windows Server 2008

b. If a user and group have multiple password setting objects PSO (PSO can be understood as similar to the group policy object GPO, popularly understood as a series of password policies), then the PSO with the lowest priority will eventually take effect.

c. Multi-password policy can only be applied to users and security groups, not to computers, and can not be directly applied to OU.

Task realization

The implementation of multi-cipher policy is mainly through the ADSI editor. Open the ADSI editor, expand to CN=Password Settings Container as shown, right-click on it, and select New object.

Then the New object window appears. There is only one password setting for the category. Click next.

Next, give PSO a meaningful name for your own management.

Next, modify the msDS-PasswordSettingsPrecedence property to set the priority of the password. The lower the value, the higher the priority, which is set to 1 here.

Next, modify the msDS-PasswordReversibleEncryptionEnabled property so that the acceptable input value is false/true. This property is used to set whether to enable password recoverable encryption. When enabled, you can reverse the user's password with the tool. If there is no special need, it is recommended to set it to false.

Next, modify the msDS-PasswordHistoryLength attribute, that is, mandatory password history, the default is 24, because the title is not explicitly required, here arbitrarily set to 3 historical passwords can not be repeated.

Next, modify the msDS-PasswordComplexityEnabled property, that is, whether to enable the password complexity requirement, which is set to false.

Next, modify the msDS-MinimumPasswordLength property to set the minimum password length, which is set to 3 according to the title requirements.

Next, modify the msDS-MinimumPasswordAge attribute to set the minimum expiration date of the password. It is required to enter a format of 0000, which represents "days, hours, minutes and seconds" respectively, and can only be entered as an integer multiple of 1 day. By default, the password can be changed again after 1 day of use. Here, type 00RV 00RV 00RU 00, that is, you can change the password immediately.

Next, modify the msDS-MaximumPasswordAge property to set the maximum password expiration date. The default is 42 days. The default value is used here.

Next, modify the msDS-LockoutThreshold attribute, that is, the lockout threshold of the user account. There is no limit by default. Here, it is set to automatically lock out after entering the wrong password 3 times.

Next, modify the msDS-LockoutObservationWindow property, that is, how long it takes to reset the account lock counter, which is set here to reset after 30 minutes.

Next, modify the msDS-LockoutDuration attribute, that is, set the duration of locking the user account. Here, enter the lock for 30 minutes. You should note that this value must be greater than or equal to the value of the msDS-LockoutObservationWindow attribute.

After clicking next, the PSO is created.

When the editing is complete, open the attribute editor and locate the msDS-PSOAppliesTo property, which lets you set which users or groups the PSO is applied to.

Set the properties and add the sales group.

At this point, the configuration is complete and can take effect immediately. Try to reset the password for the user in the sales group, and you can successfully set a 3-digit password.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.