Password policy management feature put in Longhorn

Microsoft has quietly added a password management feature to Longhorn Server that will let administrators assign password policies based on users and groups regardless of what domain they reside in.

The feature, called Fine Grained Password Policy Control, was slipped into Longhorn Beta 3, which shipped in April, the company said at its annual WinHEC conference.

At the conference, Microsoft chairman Bill Gates also announced that Longhorn would officially be dubbed Windows Server 2008 when it ships later this year.

He also said 100,000 copies of Longhorn Beta 3 have already been downloaded from Microsoft's Web site.

The Longhorn password policy control is an administrative feature designed to make assigning password rules to end-users more flexible and easier to administer.

Currently in Windows 2000 and 2003 Active Directory domains, the password policy and account lockout policy is applied to all users in the domain. The policies are specified using Active Directory's Default Domain Policy.

This limitation means anyone from power users to users who only surf the Web all must adhere to the same password policies if they are in the same Active Directory domain.

"This [fine-grained policy control] is solving a user pain point," said Ward Ralston, senior technical product manager for Microsoft. He said users no longer have to worry about maintaining password policies in many different locations and segmenting users based on password policy requirements.

With the new Longhorn password policy feature, Ralston said administrators will use Active Directory Services Interface (ADSI) to create a new Active Directory password object. The object is then assigned to a user or group of users. The policy requires that the user create passwords that adhere to certain rules, including how often the password must be updated.

The fine grained password policies do not interfere with custom password filters already in use within domains to enforce additional restrictions for passwords, according to Microsoft.

The new Longhorn policy controls can only be set and modified by domain administrators, but those administrators can delegate the ability to control policy to other administrators.

The password policy control adds two new object classes in Active Directory's domain services schema: Password Settings Container and Password Settings.

The Password Settings Container is created by default under the System container in the domain and stores the Password Settings Objects (PSO).

The PSO includes six password settings: enforce password history, maximum password age, minimum password age, minimum password length, complexity requirements and storage using reversible encryption.

The PSO also includes three lockout settings: account lockout duration, account lockout threshold and reset account lockout.

The PSO also will have two new attributes: PSO Link, which is a multi-valued attribute that administrators link to user or group objects, and Precedence which resolves conflicts if multiple PSOs are applied to the same user or group object.

The new Fine Grained Password Policy Control requires users to set values for all nine of the PSO settings and attributes, and prevents administrators from merging multiple PSOs.

If users do not create fine-grained password policies, the Default Domain Policy settings apply to all users in the domain, just like in Windows 2000 and 2003.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments