Active Directory – Lightweight Directory Services and Domain Password Policy

active-directoryad-ldsgroup-policy

Greetings all,

We have an active directory domain which enforces a strict password policy. Hooray!

Now, for the project we are working on, we are going to be storing users of our website Microsoft's AD-LDS service as well as using that for authentication of our web users.

By default, it is my understanding that AD-LDS inherits its password policy from the domain of the machine it's installed on. Is there any way to break that link such that we can define a lighter password policy (or none if we so choose) for users in AD-LDS without affecting our domain?

Note: AD-LDS is going to be hosted on a machine which is part of the domain.

Thanks in advance.

Best Answer

I bumped into this (old) question while looking for something else, but I will add an answer for anyone that ends up here actually looking for an answer...

An option you can use (assuming you have a least a 2008 level AD domain) is to apply a password policy with your required "lighter" settings specifically against the server(s) you have hosting ADLDS. While 2003 and below had only domain-wide password policy settings, 2008 and up can support fine-grained password policies configured against certain areas of the domain.

Related Solutions

Security – How to Disable the Password Policy for Local Users on Windows 2003

Your member computer is picking up its local password policy settings from the "Default Domain Policy" (in a stock configuration) but you can override it by applying a group policy object with the password policy settings you'd like at the OU of that machine (or, really, anywhere lower than the top of the domain but above that computer object's path).

As long as you don't put another password policy into a GPO at the root of the domain you won't cause changes to the domain-wide password policy (used for AD accounts by domain controllers).

You might see things about granular password policies in W2K8, but this isn't what you're looking for. What you want can be done in every version of AD back to W2K, because it only applies to local accounts on member computers.

Active Directory New password policy – should I wait

Have you communicated the new password policy to your users?

If you know for sure that everybody knows there will be a new policy and that they're going to have to change their passwords, then there should be no problems with enforcing a change at next logon.

However, if you haven't given your users enough notice, then many of them will be caught unawares when they're forced to change their password at next logon, and you'll be dealing with the following scenario a lot:

User logs in and sees that they must change their password.
User does not much care about password policy, but wants very much to check their email, and so selects a new password essentially at random.
User forgets this new password shortly thereafter, cannot log in anymore, and asks you for help with a reset.

As for knowing whether a user has changed his/her password, Active Directory stores a pwdLastSet attribute for each user:

The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.

You could run a query against Active Directory to find the users for whom pwdLastSet was more than a couple of days ago, and then force only those users to reset their passwords.

Finally, to set the "Must change password at next logon" flag for multiple users at once, you can use dsmod:

dsmod user <user_dn> -mustchpwd {yes|no}

Make up a batch file with a dsmod command for every user whose pwdLastSet is too long ago, and voila! You have your password policy enforcement mechanism.

Best Answer

Related Solutions

Security – How to Disable the Password Policy for Local Users on Windows 2003

Active Directory New password policy – should I wait

Related Topic