One of my co-workers recently asked me if there was a better method for managing Fine Grained Password polices in Windows Server 2008. Basically, he came across Microsoft’s (pretty good) step-by-step for using this feature on TechNet – Link. Upon reading the first step, he quickly realized that managing this feature was going to suck.
Why Microsoft! Like BitLocker, you yet again taunt us with a really cool feature. But, yet again the management of the feature is from the bowls of suckiness. I’m actually biting my tongue here. Yes, if I really wanted to… I could fire up adsiedit and ldifde to complete the management task at hand. But, I have to ask the question, what about the IT Pros that don’t dabble with those tools on a daily basis? You know, the ones managing your products. Forgive me for getting riled up. But, you did this to me with BitLocker and there is yet again a cool feature that isn’t fully baked. I shouldn’t have to go through a multi-step process involving several different tools just to manage one feature. Give me a GUI that is driven by a set of PowerShell cmdlets (click or command it). Errr… like Quest did.
Anyhow, I’m done. My reply to my co-worker was to use either the PasswordSettingsObject cmdlets from Quest or the PowerGUI snap-in which uses those cmdlets - http://powergui.org/entry.jspa?externalID=882&categoryID=46.
For all of today's Microsoft news, visit the Microsoft Subnet.
With more than ten years of experience in IT, Tyson Kopczynski has become a specialist in Active Directory, Information Assurance, Windows automation, PKI, and IT security practices. Tyson is also the founding author of the Windows PowerShell Unleashed series and has been a contributing author for such books as Microsoft Internet Security and Acceleration (ISA) Server 2006 Unleashed and Microsoft Windows Server 2008 Unleashed. He has also written many detailed technical papers and guides covering various technologies. As a consultant at Convergent Computing, Tyson works with and provides feedback for next generation Microsoft technologies since their inception and has also played a key role in expanding the automation and security practices at CCO. Tyson also holds such certifications as the Certified Information Systems Security Professional (CISSP), the SANS Security Essentials Certification (GSEC) and SANS Certified Incident Handler (GCIH), and the MCTS (Application Platform, Active Directory, and Network Infrastructure).
Certifications:
Publications:
Other Stuff:
The Leader in Network Knowledge
LOL!
See Microsoft Subnet for more Microsoft-related news, blogs, security alerts, technical group.
A great, funny post. But can you explain a little more what Fine Grained Password polices do and what makes them so cool? thanks!
Reply to LOL!
Well duh! It might help if I explained the feature before complaining about it. Sorry about that! Where to start…
In previous versions of Active Directory you could only define a single password policy for all users in a domain (actually you could do at a DC level, but that doesn’t really count). Considering that organization may have different password policy requirements for different types of users. This limitation would then force the weaker of the policies to be enforced within Active Directory. To solve this, in Windows Server 2008, Microsoft has introduced the Fine Grained Password Policy feature. Using this feature you can define different Password policies for global group members or users. Hence coolness!
- T