To store fine-grained password policies, Windows Server 2008 includes the following new object classes in the Active Directory Domain Services schema:
- Password Settings Container
- Password Settings
By default, Password Settings Container is created under the System container in the domain. Password Settings Container stores the PSOs for the domain. There are 10 attributes the PSO must have. Of these 10 attributes, the following 4 attributes are related to time:
- msDS-MaximumPasswordAge
- msDS-MinimumPasswordAge
- msDS-LockoutObservationWindow
- msDS-LockoutDuration
These time attributes are of the "I8" data type. The time attributes store time in intervals of -100 nanoseconds. Windows Server 2003 default domain policy uses the same time unit for its corresponding time-related attributes.
To obtain appropriate I8 values for the time attributes, convert time values in minutes, hours, or days to time values in intervals of 100 nanoseconds. Then, use a negative sign before the resultant values.
You can use the following conversion guide table to obtain the corresponding I8 values.
Collapse this tableExpand this table
| Time unit | Multiplication factor |
|---|
| m minutes | -60*(10^7) = - 600000000 |
| h hours | -60*60* (10^7) = -36000000000 |
| d days | -24*60*60*(10^7) = -864000000000 |
The following are examples of how to obtain appropriate I8 values for the time attributes:
- To obtain the msDS-MaximumPasswordAge time attribute I8 value for 2 days, multiply 2 by -864000000000. For example, use the following equation:
2*(-864000000000) = -1728000000000
- To obtain the msDS-MinimumPasswordAge time attribute I8 value for 1 day, multiply 1 by -864000000000. For example, use the following equation:
1*(-864000000000) = -864000000000
- To obtain the msDS-LockoutObservationWindow time attribute I8 value for 30 minutes, multiply 30 by -600000000. For example, use the following equation:
30*(-600000000) = -18000000000
- To obtain the msDS-LockoutDuration time attribute I8 value for 30 minutes, multiply 30 by -600000000. For example, use the following equation:
30*(-600000000) = -18000000000
You can use Active Directory Service Interfaces (ADSI) Editor, the Ldp tool, or the Ldifde tool to set appropriate I8 values for the time attributes.
To set appropriate I8 values for the time attributes by using the Ldifde tool, follow these steps:
- Define the settings of a new PSO. For example, save the following code as a Pso.ldf file.
dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
changetype: add
objectClass: msDS-PasswordSettings
msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000
msDS-MinimumPasswordLength:8
msDS-PasswordHistoryLength:24
msDS-PasswordComplexityEnabled:TRUE
msDS-PasswordReversibleEncryptionEnabled:FALSE
msDS-LockoutObservationWindow:-18000000000
msDS-LockoutDuration:-18000000000
msDS-LockoutThreshold:0
msDS-PasswordSettingsPrecedence:20
msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
- Click Start, click Run, type cmd, and then press ENTER.
- At the command prompt, type the following command, and then press ENTER:
ldifde �i �f cust-pso.ldf
-
At the command prompt, type exit, and then press ENTER to close the Command Prompt window.
For more information about how to use ADSI Editor to set appropriate I8 values for the time attributes, visit the following Microsoft Web site: