CU HNH FINE GRAINED PASSWORD POLICY1. Gii thiu v Fine Grained Password Policy

K t windows server 2003 tr v trc th chng ta ch c th thit lp chnh sch password chung cho ton b user trong domain. Mt bi ton t ra l nu trong Domain c nhiu OU, nhiu nhm v mun thit lp chnh sch password cho cc nhm khc l khc nhau th lm nh th no?

V d cn thit lp chnh sch password cho ton b Domain tha mn iu kin:

Password phi di t nht 6 k t

Khng yu cu phc tp ca password

Password khng c m ha

Password phi c thay i sau 90 ngy

Trong chnh sch password trong nhm IT phi tha mn iu kin:

Password phi di t nht 10 k t

Password phi tha mn phc tp

Password khng c m ha

Password phi c thay i sau 30 ngy

Nh vy gii quyt bi ton ny th trong server 2003 khng thc hin c. chnh v vy ti phin bn server 2008, Microsoft thm tnh nng gii quyt bi ton tng t nh vy v tnh nng gi l Fine Grained Password Policy.

2. Cu hnh Fine Grain Password policy

Trc tin v y l mt tnh nng mi cho nn cn phi m bo trong Domain hoc forest khng c my no ang chy server 2003 nu khng ng dng ny s khng hot ng c trn my server 2003. u tin cn phi kim tra Funtional level ca Domain trc . N bt buc phi l server 2008 tr ln. Nu ang l server 2003 hoc 2000 th cn phi chy raise functional level nng ln 2008. Chng ta vo Active Directory Users and Computer click chut phi vo tn Domain v chn Properties kim tra. Nu l mc 2008 hoc 2008 R2 th OK cn khng th cn click chut phi vo tn Domain chn Raise Funtional Level v raise ln 2008 nu ton b Domain hoc Forest chy 2008 tr ln hoc Raise ln 2008R2 nu ton b Domain hoc Forrest chy 2008R2 tr ln.

Chng ta vo Group Policy Management thit lp chnh sch password cho tt c user.

Click chut phi vo Default Domain Policy v chn Edit

Sau thit lp theo yu cu ca bi ton v g lnh gpupdate /force nhng thay i trong GPO c ng dng. lc ny tt c cc user trong Domain u chu theo chnh sch p pha trn.By gi ta thit lp chnh sch cho nhm IT c mt ch khc. Cc bc nh sau:

Vo Administrative tool chn ADSI Edit.

Click chut phi chn connect to

Chn Ok

Chn tip nh hnh di

Chn CN=Password Policy Container

Sang panel bn phi chn New/Object

Chn Next

Tip theo chng ta g tn chnh sch

Lc ny, wizard c bt u, hng dn chng ta i qua ton b qu trnh to i tng thit lp mt khu (PSO). Chng ta phi ch nh gi tr cho mt trong 11 thuc tnh di y. Nhp vo gi tr nh th hin trong bn di y.

Thuc tnhGi trGii thch nhanh

CnPassPolAdminsy l tn ca chnh sch. Bn nn t tn thng l cho cc chnh sch ny

msDS-PasswordSettingsPrecedence10S ny c s dng nh mt chi ph cho s u tin gia cc chnh sch khc nhau trong trng hp mt ngi dng c s dng bi nhiu PSO. Bn phi li khong trng bn di v trn cho s dng tng lai. Cc thit lp mt khu PSO cng mnh hn th chi ph cng thp hn.

msDS-PasswordReversibleEncryptionEnabledFalseGi tr nh phn chn nu cc mt khu c lu vi s m ha o ngc (thng th y khng phi l tng tt)

msDS-PasswordHistoryLength24Bao nhiu mt khu trc s c h thng lu li.

msDS-PasswordComplexityEnabledTrueNgi dng phi s dng mt khu phc tp?(gi tr nh phn)

msDS-MinimumPasswordLength10S lng ti thiu ca cc k t trong mt khu ti khon ngi dng?

msDS-MinimumPasswordAgedd:hh:mm:ssThi hn ti thiu ca mt khu l bao nhiu (trong trng hp ny l 1 ngy)

msDS-MaximumPasswordAgedd:hh:mm:ssThi hn ti a ca mt khu l bao nhiu? (trong trng hp ny l 42 ngy)

msDS-LockoutTreshold3Bao nhiu ln th tht bi trc khi ti khon ngi dng s b kha?

msDS-LockoutObservationWindowdd:hh:mm:ssSau bao nhiu lu b m cc ln th tht bi c thit lp li?

msDS-LockoutDurationdd:hh:mm:ssBao lu th i tng ti khon ngi dng b kha trong trng hp c qu nhiu mt khu sai nhp vo?

Khi tt c dc a vo th bn s thy ca s di y hy kchFinish.

Gn mt chnh sch mi cho mt ngi dng, nhiu ngi dng, mt nhm bo mt ton cc, nhiu nhm bo mt ton cc hoc kt hp cc ngi dng v nhm bo mt ton cc.Click chut phi vo chnh sch va to chn properties

By gi th vomsDS-PSOAppliesTo, chn n v kchEdit.

Chn edit/Add windows account

Chn nhm cn gn.

Quay li ca s Active Directory Users and Computer reset th li password kim tra chnh sch.

i vi account khng nm trong nhm IT th c reset c password c di 6 k t cn users trong nhm IT th khng.