Tip:
Highlight text to annotate it
X
0:00:00.000,0:00:05.340 Ronnie Coleman is a member of the PSO1 Global
security group.
0:00:05.340,0:00:21.800 To see if any PSOs are currently applied to
Ronnie, we can use dsget from the command prompt using his distinguished name. If the
command returns DSget succeeded without any additional information, it means the default
domain policy is currently being applied.
0:00:21.802,0:00:32.725 So let's head to ADSI edit, dig down to System
and the Password settings container. Right click, new and select object.
0:00:32.726,0:00:40.832 The Common-Name is a friendly name for this
policy, we'll use PSO1 for reference.
0:00:40.832,0:00:52.813 Password settings precedence is used when
a user is a member of two groups that are subject to muliple password policies, think
metrics for this. We'll enter 1.
0:00:52.813,0:01:62.784 Password Reversible Encryption isn't needed
for this example and is generally bad security practice. Let's set this to false.
0:01:62.784,0:01:74.005 Password history length is the required number
of passwords a user will have to cycle before returning to their original password. We'll
enter 5.
0:01:74.004,0:01:79.970 Password complexity will be set to False for
this example.
0:01:79.971,0:01:89.812 Minimum Password length is the minimum number
of characters required, we'll make this nice and simple and set it to 3.
0:01:89.812,0:01:108.658 Minimum password age is the time a password
must be kept before it can be changed. Enter this in a days:hours:minutes:seconds format.
So for 1 day, enter 01:00:00:00.
0:01:108.666,0:01:118.882 Maximum password age is entered in the same
way as the minimum password age, we'll set this to 90 days.
0:01:118.882,0:02:127.739 Lockout threshold is how many times the password
can be entered incorrectly before the account is locked out
0:02:127.740,0:02:145.951 Observation Window is the time in which incorrect
passwords are logged, for example if we set 5 for the lockout threshold, and 00:00:20:00
for this, if more than 5 incorrect passwords are typed within a 20 minute period the account
will get locked out
0:02:145.951,0:02:154.297 Lockout Duration the time an account will
stay locked if it meets the previous two requirements
0:02:154.297,0:02:164.383 Select more attributes, change the 'Select
a property to view' to 'PSO Applies to'.
0:02:164.383,0:02:172.844 Open ADUC and make sure advanced features
is enabled in the view menu
0:02:172.844,0:03:186.894 Open the security group, select attribute
editor and double click the distinguished name attribute, we can copy and paste this
into ADSI edit
0:03:186.894,0:03:197.194 Click add, then ok, then finish. Our first
policy has been created!
0:03:197.194,0:03:209.176 We can verify this policy is applied to Ronnie
by re-running the DSGET command from earlier. This time you can see it also lists the PSO
we just created.
0:03:209.176,0:03:219.653 We can also change his password in ADUC to
confirm