In Windows Server 2008, fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users in an OU, you can use a shadow group.
The concept of a shadow group has already introduced some confusion. It is important to understand that a shadow group is not a new type of group in AD DS. Also, AD DS does not have any means to handle group membership of a shadow group any differently than a regular AD DS group. Effectively, you must come up with a way to populate the membership of shadow groups. You can do this manually, or you can create a script and schedule it to run on an ongoing basis. For an example of how to create a process to deal with Shadow Groups, see my post Manage Shadow Groups in Windows Server 2008.
NOTE: There are a number of ways you can automate the membership of a shadow group. Below is a simple example of one.
In this example, I am demonstrating how to leverage the built-in tools in Windows Server 2008 to manage shadow groups in Windows Server 2008. These built-in tools include the DS tools (dsadd.exe, dsget.exe, dsmod.exe, dsmove.exe, dsquery.exe, dsrm.exe) that come with the operating system. In this example, the domain being used has a DNS domain name of woodgrovebank.com and a NETBIOS name of woodgrovebank. I need to apply a fine-grained password policy to all users in an OU named Sales.
Prepare the AD DS environment
To demonstrate this method, we will start by preparing the AD DS environment. Preparing the AD DS environment includes:
-
Creating an OU named Sales
-
Creating 5 test users in the Sales OU
-
Creating a global group also named Sales
Logon to a Windows Server 2008 domain controller with an account that has membership in the Domain Admins group or equivalent permissions.
- Go to Start, Administrative Tools, and select Active Directory Users and Computers
- In the Active Directory Users and Computers console, right-click on the domain, select New, and then select Organizational Unit
- On the New Object – Organizational Unit window, enter Sales into the Name field, and then click OK
- Right-click on the Users container in the console tree of the Active Directory Users and Computers console, select New, and then select Group
-
On the New Object – Group window, enter Sales into the Group name field, and then click OK
-
Create 5 users in the Sales OU, with the following logon names: SALESUSER1, SALESUSER2, SALESUSER3, SALESUSER4, and SALESUSER5.
Gather relevant AD DS information
Once we have prepared the environment, we will gather the necessary information that will be used for automating the membership in a shadow group. The steps in this section simply illustrate how to use dsquery.exe to retrieve the distinguished name (DN) of the shadow group and the OU we need to shadow.
- In a Command Prompt window, type dsquery group –name Sales and hit Enter.
This will return the DN of the shadow group we created above, which will be used later to automate the membership of this shadow group. The DN of the group we created earlier is “CN=Sales,CN=Users,DC=woodgrovebank,DC=com“
-
In the Command Prompt window, type dsquery OU -name Sales and hit Enter.
This will return the DN of the OU we created above, which will be used later to automate the membership of this shadow group. The DN of the OU we created earlier is “OU=Sales,DC=woodgrovebank,DC=com“
Automate the management of a shadow group
Now that the AD DS environment is prepared, and we know the DN of the shadow group and the DN of the OU, we can automate the management of the shadow group. But first, verify the Sales group does not contain any members.
-
In the Command Prompt window, type dsquery group -name Sales | dsget group –members and hit Enter
-
In the Command Prompt window, type dsquery user ou=Sales,dc=woodgrovebank,dc=com | dsmod group “CN=Sales,CN=Users,DC=woodgrovebank,DC=com” –chmbr and hit Enter.
If this command is successful, you will see dsmod succeeded: CN=Sales,CN=Users,DC=woodgrovebank,DC=com returned in the Command Prompt window:
In the above command, we are:
-
Using dsquery user to query for all users in the Sales OU (dsquery user ou=Sales,dc=woodgrovebank,dc=com)
-
Piping the results to the dsmod group command (|)
-
Replacing the membership of the Sales group with all Users in the Sales OU (dsmod group “CN=Sales,CN=Users,DC=woodgrovebank,DC=com” –chmbr)
Once you have successfully run the above command, you can create a scheduled task to execute this same command on a frequency that meets your requirements.
Alan says:
Thanks. Was trying to think of a way to do this easily…
Adam Stone says:
Here’s a couple of ways to do this in PowerShell V2…
quick script
http://adadmin.blogspot.com/2009/12/manage-shadow-group-membership-with.html
Powershell Function
http://adadmin.blogspot.com/2009/12/manage-shadow-group-membership.html
regards
Adam
Pingback/Trackback
The things that are better left unspoken : Active Directory Domain Services Command Fu, Part 2
Pingback/Trackback
Synchronize your security groups with the members of an Organizational Unit automatically and spend less time on updating groups
Pingback/Trackback
Tutorial: How to setup Default and Fine Grain Password Policy