Windows 2008 Granular Password Policies
Closed     Case # 10033     Affiliated Job:  New Trier Township District 2031
Opened:  Monday, April 26, 2010     Closed:  Friday, April 30, 2010
Total Hit Count:  45318     Last Hit:  Tuesday, October 15, 2024 2:35:56 PM
Unique Hit Count:  8590     Last Unique Hit:  Tuesday, October 15, 2024 2:35:56 PM
Case Type(s):  Server, Network
Case Notes(s):  All cases are posted for review purposes only. Any implementations should be performed at your own risk.

Project:
In our environment we wanted to establish multiple password polices; students, technology and staff. A Windows 2008 Native environment allows for just this.

Action(s) Performed:
Total Action(s): 4
Action # Recorded Date Type Hit(s) User Expand Details
10137 5/10/2010 11:47:22 AM Server 3272 contact@danieljchu.com OWA Password Expiry Banner Some limitations to the Exchange 2007   More ...
10138 5/10/2010 11:47:22 AM Server 3408 contact@danieljchu.com Exchange 2007 Password Expiry Notification Email Requires: Quest   Collapse ...
Last Hit: Tuesday, October 15, 2024 1:43:54 PM

Exchange 2007 Password Expiry Notification Email

Requires: Quest Software (Free) ActiveRoles Management Shell for Active Directory

Because of limitations imposed on users that may not be on our network to change their passwords, one way to notify a user is via an email automatically distributed to users based on some scheduled script. Below is a custom script developed to do just this. This script provides users the following:
-   1 Notification 30 days prior to expiration
-   A daily notification once 15 days prior to expiration is reached
-   The notification explains to users how to change their passwords:
   o   A direct link to the IISADMPWD\aexp02.asp
   o   Directions how to change in OWA prior to password expiration
-   You can use the "where-object" condition to limit your result sets
-   Optional attachment with your instructions for password changes


Here is the script, customize it for your environment
-   Schedule execution of "Execute.bat" in Scheduled Tasks
   o   PowerShell.exe -Command "C:\_Batch\Execute.ps1"
-   Execute.ps1
     Add-PSSnapin Quest.ActiveRoles.ADManagement
     get-qaduser -sizelimit 0 | where-object {$_.Email -ne $null -and $_.AccountIsDisabled -eq $false -and $_.AccountIsExpired -eq $false -and $_.PasswordNeverExpires -eq $false -and $_.AllMemberOf -notcontains "<DN of Group to Exclude>"} | foreach{
     $PasswordAgeMax = $null
     $PasswordAgeMax = (Get-QADPasswordSettingsObject (Get-QADUser -Identity $_ -DontUseDefaultIncludedProperties -IncludedProperties 'msDS-ResultantPso' ).'msDS-ResultantPso' ).'msDS-MaximumPasswordAge'.Days
     $PasswordAge = $PasswordAgeMax - ((Get-QADUser -Identity $_ ).passwordage.days)
     $PasswordAge = [int]$PasswordAge
     if ($PasswordAge -ne $null -and ($PasswordAge -eq 30 -or ($PasswordAge -le 15 -and $PasswordAge -gt 0))){
     $EmailFrom = "helpdesk@somedomain.com"
     $EmailTo = (get-qaduser -identity $_).'Email'
     $EmailFirstN = (get-qaduser -identity $_).'FirstName'
     $EmailUserN = (get-qaduser -identity $_).'NTAccountName'
     $Subject = "Technology Req.: Password Expires in $PasswordAge Days"
     
     $TextBody = "<Your Corporation Header>
     Department of Technology
     Password Change Request/Instructions
     
     $EmailFirstN, your password associated with the <SOMEDOMAIN> network will expire in $PasswordAge days.
     Please review the attached document for instructions how to change your
     network password associated with your ""$EmailUserN"" user account.
     
     If you should have any questions about the attached instructions or discover
     any difficulties with any of the procedures, please contact helpdesk at:
     - x1234
     - helpdesk@somedomain.com"
     
     $HTMLBody = "<!DOCTYPE HTML PUBLIC ""-//W3C//DTD HTML 4.0 Transitional//EN"">
     <HTML><HEAD><META http-equiv=Content-Type content=""text/html; charset=iso-8859-1"">
     </HEAD><BODY><DIV><FONT face=Arial color=#000000 size=2>
     <Your Corporation Header><BR>
     Department of Technology<BR>
     <i>Password Change Request/Instructions</i><BR><BR>
     
     $EmailFirstN, your password associated with the <SOMEDOMAIN> network will expire in <b><u>$PasswordAge days</u></b>.<BR>
     Please review the attached document for instructions how to change your<BR>
     network password associated with your ""<b>$EmailUserN</b>"" user account.<BR><BR>
     
     If you should have any questions about the attached instructions or discover<BR>
     any difficulties with any of the procedures, please contact helpdesk at:<BR>
         -  x1234<BR>
         -  helpdesk@somedomain.com
     </FONT></DIV></BODY></HTML>"
     
     $SMTPMessage = New-Object System.Net.Mail.MailMessage $EmailFrom, $EmailTo, $Subject, $TextBody
     
     $Attachment = New-Object Net.Mail.Attachment("./How to Change Your Password Documentation.pdf")
     $SMTPMessage.Attachments.Add($Attachment)
     
     $MIMEType = New-Object System.Net.Mime.ContentType("text/html")
     $Alternate = [Net.Mail.AlternateView]::CreateAlternateViewFromString($HTMLBody, $MIMEType)
     $SMTPMessage.AlternateViews.Add($Alternate)
     
     $SMTPServer = "smtp.somedomain.com"
     $SMTP = New-Object System.Net.Mail.SMTPClient $SMTPServer
     $SMTP.Send($SMTPMessage)
     $_
     }
     }
10136 5/10/2010 11:47:22 AM Server 3208 contact@danieljchu.com Applying the Proper Domain Structure to Password Policies It came  More ...
10120 5/3/2010 1:32:09 PM Server 3285 contact@danieljchu.com Review the assigned password policy to a user: Quest has a great  More ...

Outcome:
After removing our last Windows 2003 DC and promoting our environment to Windows 2008 Native (Both domain [A.D. Users and Computers] & forest [A.D. Domain and Trusts] levels, as we are a single domain), establishing multiple policies was relatively easy.
-   Some useful URLs are:
   o   [http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx]
   o   [http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html]
-   Create "Global" - "Security" groups and assign your members
   o   i.e. "All Students", "Technology Staff" & "All Staff," you may use existing groups and group nesting is allowed (i.e. A student in "Grade 09" nested in "All Students" will receive the password policy assigned to "All Students," assuming the precedence setting sets it as priority). A precedence setting, mentioned below, will determine which policy is actually applied when multiple policies are affiliated to a user.
-   Set, review and confirm your default password policies in the "Default Domain Policy," when a user is not affiliated to a security group assigned one of the granular password policies, they will default to the "Default Domain Policy."
-   Create your new password policies using ADSI editor
   o   Open your "Default naming context [domaincontroller.yourdomain.com]"
   o   Expand "DC=yourdomain,DC=com" - "CN=System" - "CN=Password Settings Container"
   o   Right click on "CN=Password Settings Container" & select "New" - "Object"
   o   Select the only class present "msDS-PasswordSettings" and click "Next"
   o   The following will be a "Wizard" to set up the initial parameters of the password policy
          - Common-Name (CN) | Whatever you want to call the new policy
          - msDS-PasswordSettingPrecedence | The lower the cost level, the higher the priority
                + i.e. A policy with 10 will beat another policy assigned to the same user that has a cost of 20
          - msDS-PasswordReversibleEncryptionEnabled | Generally "False"
                + Storing passwords in reversible encryption is like storing passwords in clear text, but is sometimes required for some third party apps
          - msDS-PasswordHistoryLength | How many passwords to remember? i.e. a setting of 5 would be the last 5 passwords used are not permitted
          - msDS-PasswordComplexityEnabled | Up to you "True" or "False" - will require a password with at least one attribute from at least three of the following areas
                + Lower-Case
                + Upper-Case
                + Numerical 0 through 9
                + Special Character like !@#$%
          - msDS-MinimumPasswordLength | A setting of 8 would require the password be at least 8 characters long
          - msDS-MinimumPasswordAge | If you change your password now, how long are you required to wait before you can change it again
                + A value of "-864000000000" would equal a 1 day wait before you could change your password again
                + A value of "0" will set this to "None"
          - msDS-MaximumPasswordAge | How long until you will be required to change your password again
                + Using the above value for 1 day "-864000000000" & multiplying it by the # of days. i.e. "-864000000000" * 30 days = "-25920000000000"
                + A value of "-9223372036854775808" will set this to "Never" - you cannot set this to "None" or "0"
          - msDS-LockoutThreshold | How many failed attempts before locking an account - i.e. "5" continuous failed password attempts will lock the account
          - msDS-LockoutObservationWindow | How long before the reset of the counter for a failed password attempt
                + i.e. 10 minutes would be "-6000000000"
                + A value of "0" will set this to "None"
          - msDS-LockoutDuration | How long before the account will automatically unlock itself
                + i.e. 30 minutes would be "-18000000000"
                + A value of "0" will set this to "None"
   o   Click finish to create your policy and then right click it and select properties
   o   Click "Filter" and ensure that "Show only attributes that have values" is unchecked
   o   Look for the attribute "msDS-PSOAppliesTo" - this attribute is used to link the password policy to the security group it will apply to, edit the properties of this item and "Add Windows Account" search out your affiliated Global/Security group and add it to the list
   o   Review the other attributes set in the wizard, note that instead of those negative numbers mentioned above for the durations, you will now see them as dd:hh:mm:ss, I find it is easier to just type some random negative number during the wizard and then follow-up with the exact time after in the policy properties



Profile IMG: Footer Left Profile IMG: Footer Right