The Password Settings Objects (PSO) which introduced in Windows Server 2008, applying password policy for AD DS Fine-Grained Password and Account Lockout in Windows Server. When you configure the password policy from Group policy for an Organizational Unit (OU), you can not apply the settings for other AD objects. So with password settings objects you can do the task easily. I’m going to apply Password Settings Objects for domain admin account in Windows Server 2012 R2.
Applying Password Settings Objects
In Windows Server 2012 R2 the PSO is applying through Active Directory Administrative Center.
1. So go the Windows Server manager and open the Active directory administrative center or type “DSAC” in the Run.
2. Select doamin (Technig.local) then double click the System to open it. Then click the Password Settings Container to open it. See the above screenshot.
3. Right click them main page of password settings container and click New then click Password Settings.
4. Configure the Password Settings what ever you want. Try to set the required options. If you are not familiar with password settings policy, do the following.
Tick the check boxes of:
- Enforce minimum password length and enter the minimum password length =10.
- Enforce password history =28. It is the number of password remembered by system that you can’t choose the password before 28th times.
- Password must meet complexity requirements. The password must contain numbers, alphabets, symbols and etc.
- Protect from accidental deletion. The PSO will not delete accidentally.
- Enforce minimum password age and Enforce maximum password age. Bot shows the duration of password changes.
- Enforce account lockout policy. This will protect your account from unauthorized access or protect form brute-force-attack.
When all task accomplished successfully, click OK to save the new Password Settings Objects.
5. Open the newly created password settings objects and click Directly Applies to, then add the groups you want to set and apply this PSO for them.
6. Close all pages and now try to test the PSO by changing the group members password or login attempts.
That’s all, and any questions?