Microsoft recently released an update for the Active Directory Domain Services Best Practices Analyzer (AD DS BPA) in Windows Server 2008 R2. This update adds the following 8 new rules to the AD DS BPA:

Read the rest of this entry »

I came across a post on the Ask the Directory Services Team Blog, which provides some great links on additional reading for Active Directory. The post can be read here, and is has several useful links which are worth a read.

Windows Server 2008 and Windows Server 2008 R2 include improvements to bridgehead server selection, which are not very well known. In fact, Microsoft only recently published an article on TechNet to explain the improvements to bridgehead server selection in Windows Server 2008 R2. What follows is an in-depth look at these improvements.

Read the rest of this entry »

As I mentioned in a previous post, Microsoft recently released ADMT 3.2, which fully supports Windows Server 2008 R2. The ADMT Migration Guide was also recently updated into include ADMT 3.1 and ADMT 3.2. The ADMT Migration Guide can be downloaded here and read online here.

Virtualization is no longer simply a hot topic, but rather it has become vital in most enterprises today. The virtualization of domain controllers is no exception. I’ve personally had several clients express an interest in virtualizing their production domain controllers, and have first hand experience in doing so.

Read the rest of this entry »

Microsoft released the Active Directory Migration Tool (ADMT) 3.2, which fully supports Windows Server 2008 R2. A little late in my opinion, especially since Windows Server 2008 R2 went RTM almost one year ago, but nonetheless it is available now.

Read the rest of this entry »

If you’ve had to get technical information on the Windows Time Service, you probably found yourself digging through several KB articles, which contained conflicting information. Microsoft recently centralized this information into the Windows Time Service Technical Reference, and updated it to include Windows Server 2008 R2 and Windows 7.

The Windows Time Service Technical Reference can be found here: Windows Time Service Technical Reference.

I came across a good blog post which talks about the next generation of AD performance analysis. More specifically, the author covers configuration and management of Active Directory Diagnostics Data Collector Sets. Data Collector Sets are the next generation of a utility called Server Performance Advisor (SPA).

The post can be found here.

During one of Dean Wells’ TEC 2010 presentations, I learned that MS will be releasing updates for Best Practices Analyzer. This is a great thing .

Dean mentioned that we should see updates every 6 months or so.

At present, there’s 7 updates available for BPA…none yet for AD DS though. These updates can be found here.

More information on the Best Practices Analyzer in Windows Server 2008 R2 can be found here:

• Best Practices Analyzer
• A First Look at the Active Directory Domain Services Best Practice Analyzer in the Windows Server 2008 R2 Beta
• A First Look at the DNS Server Best Practice Analyzer in the Windows Server 2008 R2 Beta

DCDiag.exe is an extremely useful built-in troubleshooting tool. I stumbled across a KB from Microsoft that explains that in certain environments, and under certain conditions, DCDiag.exe may take an excessive amount of time to run on computers with Windows Server 2008 R2 or Windows 7 installed. The good news is that MS has released an updated version of DCDiag.exe which fixes this issue. The KB and download can be found here: http://support.microsoft.com/?kbid=979294.

Microsoft has acknowledged an issue with the Active Directory garbage collection process, which may cause a domain controller to run slow or stop responding.

Read the rest of this entry »

Microsoft recently published an article that addresses a hot topic – whether or not you should place several RODCs in the same Active Directory site. In my opinion, this article does a good job of giving you the information you’ll need to determine RODC placement. The article can be read here: http://technet.microsoft.com/en-us/library/ee522995(WS.10).aspx

I stumbled across a good post on Ulf B. Simon-Weidner’s Blog:

http://msmvps.com/blogs/ulfbsimonweidner/archive/2009/11/11/using-ad-powershell-to-protect-ous-from-accidental-deletion.aspx

NOTE: I revised this article to fix some mistakes and to include new content from Windows Server 2008 R2.

Active Directory has built-in processes that exist to secure users that are members of privileged groups. These processes have been around for quite some time, but Active Directory administrators still get stumped by them regularly. What follows, is a updated look at AdminSDHolder, Protected Groups, and SDPROP. Windows Server 2008 R2 specific content has been added.

This article will provide you with the following information:

• Overview
• How AdminSDHolder Works
• Default ACL on the AdminSDHolder Object in Windows Server 2008 R2
• Default Protected Groups and Users
• Modifying How Often the AdminSDHolder Background Process Runs
• How to Determine if a User or Group is Protected by AdminSDHolder
• Orphaned AdminSDHolder Objects
• Security Descriptor Propagator
• How to Force AdminSDHolder to Run
• Additional Resources

Read the rest of this entry »

Microsoft has made Group Policy cmdlets for Windows PowerShell available. These cmdlets, roughly 25 in total, can be used to:

• Maintain GPOs (create, remove, backup, reporting, and import)
• Associate GPOs with AD DS containers (link, update, and remove)
• Set inheritance and permissions on AD DS OUs and domains
• Configure registry-based settings and Group Policy Preferences Registry settings

Read the rest of this entry »

There’s no doubt that virtualization is hot these days. The following articles, posted on the Dirteam.com Blog, will answer virtually all (no pun intended) questions that you have when it comes to Active Directory in Hyper-V environments.

• Active Directory in Hyper-V environments, Part 1
• Active Directory in Hyper-V environments, Part 2
• Active Directory in Hyper-V environments, Part 3
• Active Directory in Hyper-V environments, Part 4
• Active Directory in Hyper-V environments, Part 5
• Active Directory in Hyper-V environments, Part 6

Update June 19, 2010: Microsoft has released ADMT 3.2, which fully supports Windows Server 2008 R2. Please see the following post for more details: http://policelli.com/blog/?p=550.

As you may have heard, Microsoft is working on ADMT 3.2, which will be fully supported for Windows Server 2008 R2. However, ADMT 3.2 is still under development and there is no official release date as of yet.

In the interim, a KB has been released that discuss the use of ADMT 3.1 on Windows Server 2008 R2 DCs. The KB points out the following supported scenarios for ADMT 3.1 on Windows Server 2008 R2 DCs:

• ADMT 3.1 must be run from a Windows Server 2008-based computer. The computer must be a member server or a domain controller.
• ADMT can be installed on any computer that is running Windows Server 2008, unless the computers are Read-Only domain controllers or in a Server Core configuration.
• The target domain must be based on Windows 2000 Server, Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
• The source domain must be based on Windows 2000 Server, Windows Server 2003, or Windows Server 2008.
• The ADMT agent, which is installed by ADMT on computers in the source domains, can operate on computers that are running Windows 2000 Professional, Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, or Windows Server 2008 R2.

Before you go ahead and use ADMT 3.1 with Windows Server 2008 R2 DCs, you should be aware of the known issues, which can be read by going to http://support.microsoft.com/kb/976659.

I came across a great post on the Ask the Directory Services Team blog, which covers the new AD Recycling Bin (ADRB) feature that is included with Windows Server 2008 R2. The post covers the following points and is a must read for anyone wanting to learn more about this new feature:

• Understanding how ADRB works under the covers.
• What the requirements are and how to turn ADRB on.
• Using ADRB, along with some best practices.
• Troubleshooting common issues people run into with ADRB.

The post can be read by going to http://blogs.technet.com/askds/archive/2009/08/27/the-ad-recycle-bin-understanding-implementing-best-practices-and-troubleshooting.aspx

Kurt Hudson, from the MS Active Directory Documentation Team, reminded us recently about a great article that describes how to use the Repadmin.exe tool to monitor, diagnose, and troubleshoot common replication problems in your Active Directory environment. All the information in the document applies to computers running the Windows 2000 Server and Windows Server 2003 operation systems.

The document includes the following topics:

Read the rest of this entry »

Back in May of 2008, I posted an entry on my blog regarding the built-in automated metadata cleanup in Windows Server 2008. Microsoft added similar content to its Windows Server 2008 TechNet library.

Here are some links:

• Windows Server 2008 Active Directory Domain Services Metadata Cleanup
• Clean Up Server Metadata
• Windows Server 2008 and Windows Server 2008 R2 Automate Metadata Cleanup

I recently prepared an existing Windows Server 2003 forest for Windows Server 2008 and started to see an error reported in DCDiag. When I did some research on the error I was seeing in DCDiag, I found that it was a known issue that I could ignore.

Read the rest of this entry »

You’ve probably heard that Windows Server 2008 R2 was released to manufacturing (RTM) on July 22nd. One of the major changes in Windows Server 2008 R2 it is the first Windows operating system to be offered for only 64-bit processors. So what if you need to prepare an existing Active Directory Domain Services forest/domain for Windows Server 2008 R2, and your existing servers run 32-bit versions of Windows Server? You may think that you’re SOL, but Microsoft planned ahead on this one.

Read the rest of this entry »

Windows Server 2008 R2 includes a new server role, called Active Directory Web Services (ADWS), which is a prerequisite to use the Active Directory Module for Windows PowerShell and the Active Directory Administrative Center. Until recently, you were unable to use the Active Directory Module for Windows PowerShell and the Active Directory Administrative Center unless you were managing a Windows Server 2008 R2 machine. However, Microsoft released the Active Directory Management Gateway Service (ADWGS) in early June to extend this functionality to Windows Server 2008 SP1 (and later versions) and Windows Server 2003 SP2 (and later versions).

Read the rest of this entry »

The Essential Business Server (EBS) team released the Microsoft IT Environment Health Scanner earlier this month. Active Directory health is one of those things that you cannot ignore. Let’s face it, Active Directory is the glue that ties virtually all Microsoft, as well as a significant number of third-party, products and technologies together. Having a good handle on your Active Directory health is a necessity.

Read the rest of this entry »

In case you haven’t heard, Microsoft released security bulletin MS09-018 to address vulnerabilities in Active Directory and Active Directory Application Mode (ADAM). It is important to note that this vulnerability DOES NOT apply to Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) in Windows Server 2008.

Read the rest of this entry »

I ran across a post on the Ask the Directory Services Team blog that mentions a known issue with ADMT 3.1 and Windows Server 2008 R2. The blog entry can be read here: http://blogs.technet.com/askds/archive/2009/05/22/admt-3-1-and-windows-server-2008-r2.aspx.

Read the rest of this entry »

Windows Server 2008 R2 includes an Active Directory Module for Windows PowerShell. This new feature enables you to perform Active Directory administrative tasks by using PowerShell.

The following is a first look at the Active Directory Module for Windows PowerShell that is included with the Windows Server 2008 R2 Release Candidate.

Read the rest of this entry »

In Windows Server 2008 R2, you can now roll back (lower) the domain functional level (DFL) and forest functional level (FFL). There are a couple of conditions and limitations to this new functionality, which I discuss below.

Read the rest of this entry »

The Active Directory Documentation Team has pointed out what “I” consider as a vulnerability with the built-in Active Directory Account Operators group, which applies to Domain Controllers. Under certain conditions, which are very common, the Account Operators group retains the Full Control permission on the computer object for a domain controller. As you could imagine, this is not desired in almost every case.

Read the rest of this entry »

Microsoft has expanded their Windows Server 2008 Active Directory Domain Services (AD DS) Planning and Architecture collection to included AD DS in the perimeter network. More specifically, the new guide covers the following:

• Determining whether AD DS is appropriate for your perimeter network
• The various models for deploying AD DS in perimeter networks
• Planning and deploying read-only domain controllers (RODCs) in perimeter networks

The guide can be downloaded by going to http://technet.microsoft.com/en-us/library/dd728034.aspx.

Have you ever been in a situation where you needed the Ldap-Display-Name of an Active Directory attribute or class, but all you had was the CN? I have found myself in this scenario many times. Virtually every time, I had to use multiple sources to determine the Ldap-Display-Name of the attribute or class, which was inefficient to say the least. I finally got fed up and developed a reusable process so that I can streamline the resolution of CN to Ldap-Display-Name for Active Directory attributes and classes.

Read the rest of this entry »

I ran across a post on the Ask the Directory Services Team blog which is an important read for anyone who manages Active Directory.

The MS Directory Services team has found that Conficker infected computers are throwing bad password attempts, as many as 10,000 per minute from multiple clients, which in turn causes LSASS to consume a lot of CPU time on DCs.

The full post can be read by going to http://blogs.technet.com/askds/archive/2009/04/16/conficker-causes-lsass-to-consume-cpu-time-on-domain-controllers.aspx.

The Directory Services Restore Mode (DSRM) account is used to log on to a domain controller in Directory Services Restore Mode to perform maintenance and recovery tasks. This account is often forgotten by most AD administrators, which results in a significant security risk. If exploited, this security risk can cause high impact.

I have ran Active Directory security assessments for a number of small, medium, and large sized companies over the years. In almost every case, I have identified the DSRM account as a risk, because it was not being secured adequately. I felt compelled to use this post to emphasize the importance of securing the DSRM account.

This is not a post that describes how-to change the password on a DSRM account; there’s thousands of such articles on the web. This post aims to give you a thorough understanding of the risks associated with not properly securing DSRM accounts, the impact of exploited DSRM accounts, and my recommendations to secure DSRM accounts.

Read the rest of this entry »

I stumbled across a GUI-based tool which provides the ability to manage fine-grained password and account lockout policies. I couldn’t help install the tool to take a closer look. I have to admit that this simplistic tool does a much better job than the native tools at managing fine-grained password policies.

The tool is called Specops Password Policy BASIC and is available from Special Operations Software. It can be downloaded here.

For a detailed look at using the native tools for managing fine-grained password policies, see my posts Fine-Grained Password Policies in Windows Server 2008 and Manage Shadow Groups in Windows Server 2008.

Tim Springston, from Microsoft’s Customer Services and Support division (formerly Product Support Services), published a great explanation on titled “Gauging Size Differences in AD Databases”. This is a good read for those who have wondered, or have been asked, why the size of the AD database differs between domain controllers.

Tiim’s blog entry can be found here.

Microsoft has released a new feature for Windows Server 2008 that allows you to synchronize the Directory Services Restore Mode (DSRM) password with the password of a domain user account.

Read the rest of this entry »

The Windows Server 2008 R2 Beta includes a new Active Directory data management tool, called the Active Directory Administrative Center (ADAC). ADAC is a replacement of the Active Directory Users and Computers (ADUC) console. You can find more information on ADAC at my A First Look at the Active Directory Administrative Center in the Windows Server 2008 R2 Beta post.

I’ve been using ADAC as I evaluate the Windows Server 2008 R2 Beta, and what follows is a list of user interface enhancements and changes between ADAC and ADUC.

Read the rest of this entry »

Windows Server 2008 R2 includes a new Recycling Bin feature for Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

The following is a first look at the Active Directory Recycling Bin that is included with the Windows Server 2008 R2 Beta.

NOTE: Updated May 8, 2009 to include information for the RC build of Windows Server 2008 R2.

Read the rest of this entry »

Windows Server 2008 R2 includes a Best Practice Analyzer (BPA) for a limited number of server roles, including Active Directory Domain Services.

The following is a first look at the Active Directory Domain Services Best Practice Analyzer (AD DS BPA) that is included with the Windows Server 2008 R2 Beta.

Read the rest of this entry »

Microsoft has released a new Active Directory data management tool in Windows Server 2008 R2, which is now called the Active Directory Administrative Center.

What follows is an initial look at the new Active Directory Administrative Center (ADAC).

Read the rest of this entry »

The following is a step-by-step guide to installing Active Directory Domain Services in the Windows Server 2008 R2 Beta.

Read the rest of this entry »

Microsoft’s Windows Server 2008 R2 Resources site contains a number of useful guides, presentations, and links to newsgroups and forums.

I stumbled across a presentation titled “Windows Server 2008 R2 Active Directory Updates” that gives a good overview on the changes to AD DS in Windows Server 2008 R2.

I’ve run across a few newsgroup posts lately where people have pointed out they cannot find Replmon.exe on Windows Server 2008. I finally got around to checking for myself and was surprised to see the tool is really gone. Read the rest of this entry »

Microsoft previously published an article that lists 11 fairly significant known issues for deploying RODCs. The known issues that are listed in abovementioned KB article include the following:

• Group Policy fails to access Windows Management Instrumentation (WMI) filters on an RODC.
• Internet Protocol security (IPsec) policies fail to apply from an RODC.
• The Windows Time service (W32time) in Windows XP and Windows Server 2003 does not recognize an RODC.
• Unsecure domain join fails
• Domain join using RODC in the perimeter network fails.
• Password changes fail in the perimeter network when only an RODC is available.
• The RODC fails to retrieve or create a public key certificate.
• Spooler does not reflect the correct printer publish state.
• The Find Printer user interface (UI) hangs when a computer that runs Windows XP or Windows Server 2003 can contact an RODC but not a writable domain controller.
• Active Directory Service Interfaces (ADSI) in Windows XP and Windows Server 2003 requests a remote writable domain controller instead of a local RODC.
• Domain controllers running Windows Server 2003 perform automatic site coverage for sites with RODCs.

The KB article provides additional details on the scope and impact of each known issue. Additionally, there are workarounds listed for 6 of the 11 known issues.

However, Microsoft does recommend you install the Windows Server 2008 RODC Compatibility pack for Windows Server 2003 and Windows XP client computers that interact with RODCs. Additional information on this compatibility pack can be found here. It is important to note that Windows XP Server Pack 3 does not include this compatibility pack.

Let me start by stating that this article is NOT intended to be used to break Active Directory or for any malicious reasons. This article is intended to show that the use of built-in security groups, coupled with failing to follow the Principal of Least Privilege, is a HORRIBLE practice and can cause significant impact to your Active Directory environment.

In 2005 I provided a demonstration for a user group that showed that the use of built-in security groups, coupled with failing to follow the Principal of Least Privilege, could cause a domain-wide outage. In recent months, I have seen individuals posting in newsgroups and forums who have mistakenly exposed themselves to this same issue. Even more recently, I received an email from someone who attended my presentation in 2005 informing me that they too were impacted by this issue.

I decided to extract the relevant information from my 2005 demonstration and post it online. Again, my intent is not to show how you can break Active Directory. Rather, I intend to show you that by using built-in groups and failing to follow the Principal of Least privilege, you can make it very easy for someone to intentionally or unintentionally cause a domain-wide outage. I have updated my original content to include Windows Server 2008, as this risk also applies to Windows Server 2008.

In this article, I demonstrate how someone with membership in the built-in Account Operators group can (intentionally or unintentionally) exploit a system limitation and prevent all users in your domain from logging on. I start by providing some background information before the demonstration. I then provide some additional information on why the risk exists and what you can and cannot do about it. I conclude with some general recommendations and best practices to avoid such outages. Read the rest of this entry »

Having worked in the financial sector for a number of years, I have repeatedly saw the need for time to be synchronized down to the second or millisecond. Financial applications, such as trading applications, rely heavily on high accuracy time. The fact of the matter is that the Windows Time Service was not designed for high accuracy time. Microsoft designed the Windows Time Service to 1) make the Kerberos Version 5 authentication protocol work and 2) provide loose sync time for client computers.

I stumbled across a post from Microsoft’s Directory Services Team that outlines Microsoft’s position on high accuracy time requirements and the Windows Time Service. The post can be found here. This article is a good read of you want to understand what the Windows Time Service was and was not designed to do.

Microsoft has published an article that lists the improvements in Windows Server 2008 R2. The article can be downloaded here.

There are a few key AD DS improvements that are highlighted. Some of the improvements will apply to all Active Directory server roles in Windows Server 2008, while others will apply to the Active Directory Domain Services server role only.

Here is a list of the improvements in Windows Server 2008 R2:

• New Forest Functional Level
• PowerShell cmdlets
• Improvements to automated monitoring and notification
• Recovery of deleted objects (built-in Recycling Bin feature)
• Offline domain join support
• Managed service accounts
• Active Directory Administrative Center (goodbye ADUC)

Read the rest of this entry »

Windows Server 2008 introduces a new feature that allows you to create and view snapshots of data that is stored in AD DS and AD LDS. The Active Directory database mounting tool (Dsamain.exe) was referred to as Snapshot Viewer and Active Directory data mining tool during the beta releases of Windows Server 2008.

Microsoft states that the Active Directory database mounting tool is useful to simplify the forest recovery process and to audit modified and deleted objects. These are two very useful reasons to learn more about the Active Directory mounting tool. What follows is a step-by-step on how to use the Active Directory database mounting tool.

Read the rest of this entry »

I ran across a document from Microsoft that lists maximum limits for Active Directory. This document pertains to Windows 2000 Server and Windows Server 2003. There is no reference to Windows Server 2008 in the document. However, the majority of the limits also apply to Windows Server 2008.

Below is a summary of the maximums. The full details, including rationale, can be found here: http://technet.microsoft.com/en-us/library/cc756101.aspx. Read the rest of this entry »

Microsoft has included a new feature, the Attribute Editor, in Windows Server 2008 which allows you to view and modify attributes through two of the native Active Directory snap-ins (Active Directory Users and Computers and Active Directory Sites and Services). This is especially valuable when you need to view and/or modify attributes that are not part of the base schema, such as custom attributes. In the Windows 2000 Server and Windows Server 2003 versions of Active Directory, these attributes could only be modified programmatically or by using the ADSI Edit console. However, in Windows Server 2008, you can now modify custom attributes by using the native tools.

Read the rest of this entry »

The white paper that discusses schema management at Microsoft was recently updated and has been posted on Microsoft’s IT Showcase website. The technical white paper can be found here. The TechNet Webcast can be found here.

Read the rest of this entry »

The MCITP Self-Paced Training Kit (Exam 70-647): Windows Server® Enterprise Administration was published yesterday. The 70-647 Training Kit should be available through retailers by June 28th. The 70-647 Training Kit will also be included with the MCITP Self-Paced Training Kit (Exams 70-640, 70-642, 70-643, 70-647): Windows Server® 2008 Enterprise Administrator Core Requirements Training Kit. Both can be pre-ordered through retailers.

Read the rest of this entry »

Windows Server 2008 introduces a new option designed to protect Active Directory Domain Services Objects (AD DS) objects from accidental deletion. I know of a number of companies that have experienced an impact on business continuity that could have been avoided by using this option. In my experience, the accidental deletions that have created the most impact were Organizational Unit (OU) deletions. This is likely why Microsoft has decided to enable this option by default when OUs are created through the Active Directory Users and Computers (ADUC) console.

Read the rest of this entry »

Microsoft released the Planning and Deploying Read-Only Domain Controllers guide last week. The guide can be found by going to the following link: http://go.microsoft.com/fwlink/?LinkId=120840. According to Brian Puhl’s post, this is the first chapter in the RODC guide.

Working with large enterprise Active Directory environments, I am a frequent user of scripts and command-line tools. I can’t say enough good things about the Microsoft DS tools (Dsadd, Dsget, Dsmod, Dsmove, Dsquery, and Dsrm) along with the infamous AdFind and AdMod tools. I often find myself creating and refining my scripts over and over again, until they work just as I want them to. I also frequently review and refine scripts that others create. I was amazed at how a few tweaks to a specific set of scripts resulted in such a positive impact. Read the rest of this entry »

Microsoft has added an additional method to perform Active Directory Domain Services metadata cleanup (the process of removing data in AD DS after an unsuccessful domain controller demotion) in Windows Server 2008. We now have the ability to perform metadata cleanup using the Active Directory Users and Computers console in Windows Server 2008. Moreover, this new functionality significantly reduces the number of steps required to perform this task.

Read the rest of this entry »

Recommendations regarding the placement of the infrastructure master role have been confusing and contradicting since the introduction of Active Directory in Windows Server 2000. Most of the confusion stems from ambiguous wording. In some documentation you will read that the infrastructure master can never be placed on a server that hosts the global catalog. In other documentation you will read that the infrastructure master role can be placed on a global catalog server provided that all domain controllers in the domain are global catalog servers. Read the rest of this entry »

There is not necessarily a domain controller in every site, which is when automatic site coverage comes in to play. For various reasons, it is possible that no domain controller exists for a particular domain at the local site. Through automatic site coverage, each domain controller checks all sites in the forest and then checks the replication cost matrix. A domain controller advertises itself (registers a site-related SRV record in DNS) in any site that does not have a domain controller for that domain and for which its site has the lowest-cost connections. This process ensures that every site has a domain controller that is defined by default for every domain in the forest, even if a site does not contain a domain controller for that domain. The domain controllers that are published in DNS are those from the closest site (as defined by the replication topology). Read the rest of this entry »

In Windows Server 2008, fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users in an OU, you can use a shadow group. Read the rest of this entry »

With the new fine-grained password policies feature in Windows Server 2008, we can finally create multiple password policies and account lockout policies for users in the same domain. The fact that the fine-grained password policies feature in Windows Server 2008 maps password policies to users and/or groups means that we have virtually unlimited flexibility when it comes to password policy and account lockout policy requirements. Read the rest of this entry »