One of several significant advancements introduced in Windows Server 2008 domain functional level is the ability to configure multiple password policies targeting arbitrarily selected Active Directory users or global groups. While this new functionality, referred to as Fine-Grained Password Policies, brings long-awaited flexibility to rigid security structure that used to influence design of forest hierarchy (forcing the creation of additional domains whenever non-uniform rules governing password history, age, length, complexity or lockout behavior were required), its benefits remain somewhat limited. In particular, due to functional-level dependency, its implementation requires all domain controllers run Windows Server 2008. In addition, because Fine-Grained Password Policies lacks a friendly graphical interface, administrators must resort to a fairly cumbersome ADSIEdit console whenever a custom policy definition or configuration is needed.
Furthermore, the scope of these policies is determined based on global group membership, rather than the location of a target user within a designated Organizational Units, which further complicates their management.
If these shortcomings are not acceptable to you or if you are looking for more advanced password-related capabilities, you might want to consider taking advantage of third-party offerings, which go beyond the limited set of features built into the operating system.
Special Operations Software specializes in products targeting Windows environments with intention of filling functionality and manageability gaps existing in their original feature sets designed by Microsoft. In general, its portfolio can be grouped into several broader categories, such as system management, compliance or security, based on the type of need they address, with a certain degree of overlap between them.
Since the resulting restrictions become part of the User Configuration node of a Group Policy Object, they function in the same manner as other group policy settings. For this reason, they can be linked to individual Organizational Units and limited, if desired, based on security filtering to specific domain users or groups only. Note, however, that resulting passwords must comply not only with custom restrictions imposed by Specops password definitions but also with domain-wide, built-in password policy imposed via domain-level GPO. In addition, if you decide to install optional Active Directory Users and Computers extension, you will be able to determine password policies affecting individual user accounts (via Specops Password Policy... entry in the context-sensitive menu of their objects displayed in the management console) from the administrative systems where Specops Password Policy Admin is present.
For Detail Info visit: http://www.enterpriseitplanet.com/security/features/article.php/11321_3812801_1
Furthermore, the scope of these policies is determined based on global group membership, rather than the location of a target user within a designated Organizational Units, which further complicates their management.
If these shortcomings are not acceptable to you or if you are looking for more advanced password-related capabilities, you might want to consider taking advantage of third-party offerings, which go beyond the limited set of features built into the operating system.
Special Operations Software specializes in products targeting Windows environments with intention of filling functionality and manageability gaps existing in their original feature sets designed by Microsoft. In general, its portfolio can be grouped into several broader categories, such as system management, compliance or security, based on the type of need they address, with a certain degree of overlap between them.
Since the resulting restrictions become part of the User Configuration node of a Group Policy Object, they function in the same manner as other group policy settings. For this reason, they can be linked to individual Organizational Units and limited, if desired, based on security filtering to specific domain users or groups only. Note, however, that resulting passwords must comply not only with custom restrictions imposed by Specops password definitions but also with domain-wide, built-in password policy imposed via domain-level GPO. In addition, if you decide to install optional Active Directory Users and Computers extension, you will be able to determine password policies affecting individual user accounts (via Specops Password Policy... entry in the context-sensitive menu of their objects displayed in the management console) from the administrative systems where Specops Password Policy Admin is present.
For Detail Info visit: http://www.enterpriseitplanet.com/security/features/article.php/11321_3812801_1
No comments:
Post a Comment