1 00:00:06,410 --> 00:00:15,020 Starting with Windows Server 2008 administrators can define more than one password policy in a single 2 00:00:15,020 --> 00:00:19,760 domain by implementing a fine grained password policies. 3 00:00:19,760 --> 00:00:28,250 These give you individual control over user password requirements and you can have different password 4 00:00:28,250 --> 00:00:32,030 requirements for different users and groups. 5 00:00:32,030 --> 00:00:41,000 This is beneficial for enforcing more restrictive password settings for administrators. 6 00:00:41,000 --> 00:00:49,970 Service accounts or users with highly critical business functions to support their fine grained password 7 00:00:49,970 --> 00:00:58,730 policy feature Edit Yes and Windows Server 2008 and newer include two object types. 8 00:00:58,730 --> 00:01:07,280 Password settings container and peer SOS password certain container is created in Windows Server by 9 00:01:07,280 --> 00:01:11,990 default until you can view it in the domain system container. 10 00:01:11,990 --> 00:01:20,590 The container stores the peer SOS that you create and link to global security groups or to users. 11 00:01:20,600 --> 00:01:30,710 As for PSU members of the domain Edmonds group read peer SOS and then define specific password and account 12 00:01:30,740 --> 00:01:35,990 lockout settings to link to a specific security group or user. 13 00:01:36,010 --> 00:01:45,650 Now find green password policies only applied to user objects iiNet or a person objects or global security 14 00:01:45,650 --> 00:01:56,180 groups by linking a peer so to a user or a group you are modifying an attribute called a mass DNS dash 15 00:01:56,370 --> 00:02:00,640 P S O applied which is empty by default. 16 00:02:00,650 --> 00:02:07,970 This approach now treats passwords and account block out certainly not as the main white requirements 17 00:02:08,180 --> 00:02:17,120 but as attributes of a specific user or a group for example to configure a strict password policy for 18 00:02:17,120 --> 00:02:18,670 administrative accounts. 19 00:02:18,790 --> 00:02:27,680 Create a global security group at the Administrative user accounts as members and then link peer so 20 00:02:27,680 --> 00:02:29,250 to a group plan. 21 00:02:29,300 --> 00:02:38,150 Fine grained password policies to a group in this manner is more manageable then applying policies to 22 00:02:38,270 --> 00:02:41,000 each individual user account. 23 00:02:41,330 --> 00:02:50,660 If you create and use service account you simply added to Group and the P S O manages the account by 24 00:02:50,660 --> 00:02:51,440 default. 25 00:02:51,590 --> 00:02:59,000 Only members of the domain Edmonds group can create and apply fine grained password policies. 26 00:02:59,000 --> 00:03:07,460 However you also can duplicate the ability to set these policies to other users on a domain by domain 27 00:03:07,460 --> 00:03:08,330 basis. 28 00:03:08,330 --> 00:03:15,020 Now let's talk about applying fine grained password policies you cannot apply a fine grained password 29 00:03:15,020 --> 00:03:24,910 policies directly to an O you to apply a fine grained password policy to owe you users you can use a 30 00:03:25,010 --> 00:03:35,570 shadow group a shadow group is a global security group that maps logically to an O U and enforces a 31 00:03:35,570 --> 00:03:45,050 fine grained password policy you can add an o use users as members of the newly created shadow group 32 00:03:45,380 --> 00:03:50,900 and then you can apply the fine grained password policy to this shadow group. 33 00:03:50,900 --> 00:03:59,360 If you move a user from one o you to in other you must update the membership of the corresponding shadow 34 00:03:59,360 --> 00:04:00,140 groups. 35 00:04:00,230 --> 00:04:09,020 The sentence that fine grained password policies manage are identical to those whom the password policy 36 00:04:09,020 --> 00:04:12,800 and account policy nodes of a GPO. 37 00:04:13,070 --> 00:04:22,910 However you know that implement fine grained policy password policies as part of group policy nor are 38 00:04:22,910 --> 00:04:33,890 they applied as part of a GPO instead the P O is a separate class of object in a tedious that maintains 39 00:04:33,980 --> 00:04:38,090 the sentence for fine grained password policy. 40 00:04:38,450 --> 00:04:47,630 Additionally fine grained password policies do not interfere with custom passwords Saturns or filters 41 00:04:47,720 --> 00:04:49,630 that you might have implemented. 42 00:04:49,760 --> 00:04:55,210 You can create one or more peer source in your domain. 43 00:04:55,250 --> 00:05:04,580 Each contains a complete set of password and lockout policies sentence and each allows the same configuration 44 00:05:04,670 --> 00:05:05,670 options. 45 00:05:05,720 --> 00:05:13,320 The are available in domain based password and lock out sentence you apply appear P.S. so by linking 46 00:05:13,320 --> 00:05:22,620 it to one or more global security groups or users to use their fine grained password policy your domain 47 00:05:22,620 --> 00:05:30,560 functional level must be at least Windows Server 2008 which means that all of your domain controller 48 00:05:30,560 --> 00:05:38,120 is in the domain must be running at least Windows Server 2008 to meet this condition. 49 00:05:38,220 --> 00:05:46,500 You must raise the domain functional level to at least Windows Server 2008 to confirm and modify the 50 00:05:46,770 --> 00:05:48,550 domain functional level. 51 00:05:48,630 --> 00:05:50,580 Use the following procedure. 52 00:05:50,580 --> 00:05:58,800 Open Active Directory domains and trusts in the council 3 expand Active Directory demands and trusts 53 00:05:59,130 --> 00:06:03,690 and then expand the 3 until you can see the domain. 54 00:06:03,750 --> 00:06:08,270 Right click the domain and then click res domain functional level. 55 00:06:08,580 --> 00:06:14,180 Okay next stop will be talking about tools for creating O's. 56 00:06:14,400 --> 00:06:20,250 As you remember an abbreviation PSU means password Saturns objects.