In this IT Pro Challenge, learners will first use the Group Policy Editor to configure local password policies and then use the Group Policy Management Console (GPMC) to configure a domain password policy. Finally, you will learn how to configure and implement a fine-grained password policy. As a proof of concept, you will use a provided user account to test that the various password policies are being enforced correctly. The skills acquired in this lab are useful for a career as a Windows Server or system administrator.
The scenario for this lab is that you are a Windows Server administrator tasked with managing your company’s Active Directory Domain Services (AD DS) environment. To do this, you need to configure local and domain password policies. You will begin by configuring and testing a local password policy using the local Group Policy editor. Then you will configure and test a domain password policy using the Group Policy Management Console (GPMC). Finally, you will implement a fine-grained password policy.
Configure local password policy settings by using the local Group Policy editor
To begin the lab, you will launch the local Group Policy editor (gpedit.msc) and navigate to the Password Policy under Computer Configuration to view the local password policy settings. There, you will make several changes. You will set the minimum password length to seven characters and disable the Password must meet complexity requirements setting. Then you will change the password for a user (Mike Nash).
NOTE: Local group policy settings are applied to the local computer when it’s not connected to a domain. Group Policy Objects (GPOs) are processed in order: local, site, domain, and organizational unit (OU). Domain-level GPO settings take precedence over a local policy setting. The following settings make up the password policy:
- Enforce password history.
- Maximum password age.
- Minimum password age.
- Minimum password length.
- Password must meet complexity requirements.
- Store passwords using reversible encryption.
Configure domain account password policy settings by using the Group Policy Management Console
Now you will sign into another virtual machine and use the GPMC to set the minimum password length to 10 characters and enable the Password must meet complexity requirements setting. Then you will switch back to the first virtual machine (SVR1) and join the computer to a provided domain. Then, back on the other virtual machine (DC1), you will configure the Mike Nash user account to require a password change.
Configure fine-grained password policies by using the Active Directory Administration Center
You can use fine-grained password policies to apply password settings to privileged accounts. Fine-grained password settings can differ from those in the domain policy. These policies are saved in a password settings container rather than a GPO. A fine-grained password policy cannot be directly applied to an OU.
Finally, on the DC1 virtual machine, you will configure a fine-grained password policy (High Security Password Policy) with a precedence of 1 to require a 20-character password for members of the HR Admins group. To do this, you will use the Active Directory Administrative Center. You will add the Mike Nash user account to the HR Admins security group and force a password change upon login. As a proof of concept, you will try to sign in as Mike Nash and choose a password less than 20 characters. The login should fail because the Mike Nash account is required to have a 20-character password.
By taking this lab, you will learn how to use the Local Group Policy Editor to configure the local password policy, configure a domain password policy, and configure a fine-grained password policy using the Active Directory Administrative Center. As a proof of concept, you will test your changes using a provided user account to verify that password rules are working properly.