Step 1: Create a PSO

Applies To: Windows Server 2008, Windows Server 2008 R2

Creating a PSO

You can create Password Settings objects (PSOs):

  • Creating a PSO using the Active Directory module for Windows PowerShell

  • Creating a PSO using ADSI Edit

  • Creating a PSO using ldifde

Creating a PSO using the Active Directory module for Windows PowerShell

To create a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Create a New Fine-Grained Password Policy.

Creating a PSO using ADSI Edit

Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects and attributes.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To create a PSO using ADSI Edit

  1. Click Start, click Run, type adsiedit.msc, and then click OK.

Note

If you are running ADSI Edit for the first time on a domain controller, proceed to step 2. Otherwise, proceed to step 4.

  1. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.

  2. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK.

  3. Double-click the domain.

  4. Double-click DC=<domain_name>.

  5. Double-click CN=System.

  6. Click CN=Password Settings Container.

    All the PSO objects that have been created in the selected domain appear.

  7. Right-click CN=Password Settings Container, click New, and then click Object.

  8. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.

  9. In Value, type the name of the new PSO, and then click Next.

  10. Continue with the wizard, and enter appropriate values for all mustHave attributes.

Important

To disable account lockout policies, assign the msDS-LockoutThreshold attribute the value of 0.

Note

To avoid ADSI Edit errors, values for the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) must be entered in the d:hh:mm:ss format (recommended) or the I8 format. Note that the d:hh:mm:ss format is only available in the Windows Server 2008 version of ADSI Edit. For more information about how to convert time unit values into I8 values, see "Negative PSO Attribute Values" in Appendix B: PSO Attribute Constraints.

Note

For more information about time-related PSO attributes, see "PSO Attributes Referential Integrity" in Appendix B: PSO Attribute Constraints.

<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Attribute name</th>
<th>Description</th>
<th>Acceptable value range</th>
<th>Example value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>msDS-PasswordSettingsPrecedence</strong></p></td>
<td><p>Password Settings Precedence</p></td>
<td><p>Greater than 0</p></td>
<td><p>10</p></td>
</tr>
<tr class="even">
<td><p><strong>msDS-PasswordReversibleEncryptionEnabled</strong></p></td>
<td><p>Password reversible encryption status for user accounts</p></td>
<td><p>FALSE / TRUE (Recommended: FALSE)</p></td>
<td><p>FALSE</p></td>
</tr>
<tr class="odd">
<td><p><strong>msDS-PasswordHistoryLength</strong></p></td>
<td><p>Password History Length for user accounts</p></td>
<td><p>0 through 1024</p></td>
<td><p>24</p></td>
</tr>
<tr class="even">
<td><p><strong>msDS-PasswordComplexityEnabled</strong></p></td>
<td><p>Password complexity status for user accounts</p></td>
<td><p>FALSE / TRUE (Recommended: TRUE)</p></td>
<td><p>TRUE</p></td>
</tr>
<tr class="odd">
<td><p><strong>msDS-MinimumPasswordLength</strong></p></td>
<td><p>Minimum Password Length for user accounts</p></td>
<td><p>0 through 255</p></td>
<td><p>8</p></td>
</tr>
<tr class="even">
<td><p><strong>msDS-MinimumPasswordAge</strong></p></td>
<td><p>Minimum Password Age for user accounts</p></td>
<td><ul>
<li>(None)<br />
<br />
</li>
<li>00:00:00:00 through <strong>msDS-MaximumPasswordAge</strong> value<br />
<br />
</li>
</ul></td>
<td><p>1:00:00:00 (1 day)</p></td>
</tr>
<tr class="odd">
<td><p><strong>msDS-MaximumPasswordAge</strong></p></td>
<td><p>Maximum Password Age for user accounts</p></td>
<td><ul>
<li>(Never)<br />
<br />
To set the time to (never), set the value to -9223372036854775808.<br />
<br />
</li>
<li><strong>msDS-MinimumPasswordAge</strong> value through (Never)<br />
<br />
</li>
<li><strong>msDS-MaximumPasswordAge</strong> cannot be set to zero<br />
<br />
</li>
</ul></td>
<td><p>42:00:00:00 (42 days)</p></td>
</tr>
<tr class="even">
<td><p><strong>msDS-LockoutThreshold</strong></p></td>
<td><p>Lockout threshold for lockout of user accounts</p></td>
<td><p>0 through 65535</p></td>
<td><p>10</p></td>
</tr>
<tr class="odd">
<td><p><strong>msDS-LockoutObservationWindow</strong></p></td>
<td><p>Observation Window for lockout of user accounts</p></td>
<td><ul>
<li>(None)<br />
<br />
</li>
<li>00:00:00:01 through <strong>msDS-LockoutDuration</strong> value<br />
<br />
</li>
</ul></td>
<td><p>0:00:30:00 (30 minutes)</p></td>
</tr>
<tr class="even">
<td><p><strong>msDS-LockoutDuration</strong></p></td>
<td><p>Lockout duration for locked out user accounts</p></td>
<td><ul>
<li>(None)<br />
<br />
</li>
<li>(Never)<br />
<br />
</li>
<li><strong>msDS-LockoutObservationWindow</strong> value through (Never)<br />
<br />
</li>
</ul></td>
<td><p>0:00:30:00 (30 minutes)</p></td>
</tr>
<tr class="odd">
<td><p><strong>msDS-PSOAppliesTo</strong></p></td>
<td><p>Links to objects that this password settings object applies to (forward link)</p></td>
<td><p>0 or more DNs of users or global security groups</p></td>
<td><p>“CN=u1,CN=Users,DC=DC1,DC=contoso,DC=com”</p></td>
</tr>
</tbody>
</table>

Note

To create a PSO without applying it to any users or global security groups, proceed to step 17. Otherwise, proceed to step 12.

  1. On the last screen of the wizard, click More Attributes.

  2. On the Select which property to view menu, click Optional or Both.

  3. In the Select a property to view drop-down list, select msDS-PSOAppliesTo.

  4. In Edit Attribute, add the distinguished names of users or global security groups that the PSO is to be applied to, and then click Add.

  5. Repeat step 15 to apply the PSO to more users or global security groups.

  6. Click Finish.

Note

If you receive this error:
Operation failed. Error code: 0x57
The parameter is incorrect.
Check the syntax of the distinguished name of the account. The following characters in the distinguished name need to be escaped with a backslash:
, \ # + < > ; " =
For example, cn=Smith, John,ou=West,dc=contoso,dc=com

Creating a PSO using ldifde

You can use the ldifde command as a scriptable alternative for creating PSOs.

LDAP Data Interchange Format (LDIF) is an Internet standard for a file format that you can use to perform batch operations against directories that conform to Lightweight Directory Access Protocol (LDAP) standards. You can use LDIF to export and import data. LDIF performs batch operations such as add, create, and modify against AD DS. When you install the AD DS role, a utility program called LDIFDE is included to support batch operations that are based on the LDIF file standard. For more information, see Using LDIFDE to import and export directory objects to Active Directory (https://go.microsoft.com/fwlink/?LinkId=87487).

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To create a PSO using ldifde

  1. Define the settings of a new PSO by saving the following sample code as a file, for example, pso.ldf:

    dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
    changetype: add
    objectClass: msDS-PasswordSettings
    msDS-MaximumPasswordAge:-1728000000000
    msDS-MinimumPasswordAge:-864000000000
    msDS-MinimumPasswordLength:8
    msDS-PasswordHistoryLength:24
    msDS-PasswordComplexityEnabled:TRUE
    msDS-PasswordReversibleEncryptionEnabled:FALSE
    msDS-LockoutObservationWindow:-18000000000
    msDS-LockoutDuration:-18000000000
    msDS-LockoutThreshold:0
    msDS-PasswordSettingsPrecedence:20
    msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
    

Note

When you use ldifde to create PSOs, values for the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) must be entered in the I8 format. For more information about how to convert time unit values into I8 values, see "Negative PSO Attribute Values" in Appendix B: PSO Attribute Constraints.

Note

For more information about time-related PSO attributes, see "PSO Attributes Referential Integrity" in Appendix B: PSO Attribute Constraints.

  1. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type the following command, and then press ENTER:

    ldifde –i –f pso.ldf
    
Parameter Description

ldifde

Specifies a utility program that supports batch operations that are based on the LDIF file standard.

-i

Specifies that Import Mode is turned on.

-f pso.ldf

Specifies the name of the input file that you created.