Server 2008 AD schema onwards has a very cool feature called fine-grained password policies, these can be a bit arduous to setup, the easiest way that I’ve found to set them up is to create an ldifde answer file and import them using that. In this example I’m creating a password policy called ServiceAccounts and applying it to the group called ServiceAccounts.
dn: CN=ServiceAccounts, CN=Password Settings Container,CN=System,DC=robsdesk,DC=com
Execute this command:
Ldifde -i -f pso.ldf
This will create a policy with the following attributes:
- Maximum password age of 2 days
- Minimum password age of 1 day
- Minimum password length of 8 characters
- Password history
- Require complexity
- Store with reversible encryption
- 30 minute lockout observation window
- 30 minute lockout
- Lockout after 5 failures
- Precedence of 20 – like MX records the lowest ‘cost’ comes first.
Make accounts you want to apply the policy to a member of the group. You can edit the settings in the policy using ADSIEdit by navigating to the Password Settings Container within the System container.
More detail can be found here: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx