Fine grained passwords apply to groups not OU’s.
If you need a different password policy applying to members of an OU. Then a good way to do this is to create a shadow group which is just a security group named after the OU.
I am going to demonstrate this on the Gold Coast OU so I created a group called Gold Coast
from PowerShell enter the following command on one line.
PS C:\Users\Administrator> New-ADFineGrainedPasswordPolicy GoldCoastPolicy -ComplexityEnabled:$true -LockoutDuration:”00
:30:00″ -LockoutObservationWindow:”00:30:00″ -LockoutThreshold:”0″ -MaxPasswordAge:”42.00:00:00″ -MinPasswordAge:”1.00:0
0:00″ -MinPasswordLength:”9″ -PasswordHistoryCount:”10″ -Precedence:”1″ -ReversibleEncryptionEnabled:$false -ProtectedFr
Then to apply the fine grained policy to a group:
Add-ADFineGrainedPasswordPolicySubject GoldCoastPolicy -Subjects ‘Gold Coast’
Or in ADAC navigate to Domain > System > Password Setting Container
You can give a users the rights to do certain tasks that they would not ordinarily have the right to do based on their group membership.
This can be applied at the Domain or OU level.
In the example I am about to do it give GoldCoastUser1 the right to change passwords in the Gold Coast OU
Click add and add the user you want to delegate control to.
Here you have the choice of delegating common preset tasks or creating a custom task to delegate.
Click finish and that is all there is to do for a preset task like changing passwords.
The first way to manage local account policies is through the Local Group Policy Editor.
you open it by typing gpedit.msc at the run prompt.
From here you can set Password policy and Account Lockout Policy.
Set these setting as required by double clicking on any setting and changing the setting as required.
The explain tab explains what the setting does.
Another way of doing this is using local security policy type secpol.msc at a prompt to open it.
This displays the same security settings as the local group policy editor and they are edited in much the same way.
Another way is to use security templates.
Open an MMC console and add:
Security Configuration and Analysis and Security Templates.
start with the security template
Make changed to the template as required.
Then go to security configuration and analysis and right click and choose open database.
select the example.inf created previously and click open.
Now either choose Analyse computer now which will tell you where your computer is different to the template or Configure computer now which will configure your computer as per the template.
There are two types of AD restores authoritative and non authoritative.
To do an AD restore you should be in AD restore mode but as my server is in the AWS cloud I can not do that so I will demonstrate all the steps that it allows me to.
To put the DC into Directory Services Restore Mode you can use:
bcdedit /set safeboot dsrepair
shutdown -r -t 0
Go to Windows server backup and from the actions menu select recover.
Select the last backup that contains the system state.
Select the system state to restore
to remove safeboot use:
bcdedit /deletevalue safeboot
There are two ways to do an Active Directory Backup natively. The first is Windows Server Backup and the second is WBADMIN.
Before you use windows server backup you need to install the Windows Server Backup feature
Open Windows Server Backup from the tools menu.
you can choose a local or online backup (I am demonstrating local)
Select custom and click next
In the select items for backup dialog box select add items and select the system state and click ok.
Select a schedule that suits your environment and click next
Select a destination that suits you and click next
If your backup destination it not showing click Show all available Disks
Select the one you want and click Ok.
Select the correct backup disk and click next
At the conformation screen click finish
the Scheduled task can be viewed in Task Scheduler
or with wbadmin
wbadmin start systemstatebackup -backupTarget:d:
You could put that in a batch file and schedule it.
Using the GUI you can find RID PDC and Infrastructure roles from Active Directory users and computers
And by clicking the change button you can change the domain controller they are hosted on.
before doing that you need to connect to the other domain controller.
To view and change the Domain Naming Master Role you need to use Active Directory Domains and Trusts
Right click on the root of the forest and select operations master
To view the Schema Master Role you need to open Active Directory Schema from an MMC console right click on the forest root and select operations master.
A quicker way of viewing these roles is with netdom or PowerShell
netdom query fsmo
with PowerShell get-addomain can find the domain level roles
Get-ADDomain |select PDCEmulator,RIDMaster,InfrastructureMaster
and Get-ADForest shows the forest level roles.
The ntdsutil can be used to transfer roles if you do not have access to the GUI.
transferring the other roles is the same except for the transfer PDC line.
the options are
Transfer infrastructure master
Transfer naming master
Transfer RID master
Transfer schema master
Note in the connect to server line connect to the server you want to transfer the roles to.
There are also options for seizing which you would only do if the server contains the master roles was permanently offline.
By Default Schema Management is not available.
To open Schema management you need to register the DLL
After registering the dll it is available to be added to a MMC console.
To configure UGMC open Active Directory Sites and Services from the tools menu.
Select the root of the site then in the right hand pane right click on NTDS Site settings.
From there check Enable Universal Group Membership Caching and click Ok.
New-NetIPAddress -IPAddress 192.168.1.11 -InterfaceAlias “Ethernet” -DefaultGateway 192.168.1.1 -PrefixLength 24
Right click on the share you want to make available offline select properties
go to the sharing tab and click advanced sharing.
click on Caching
Here there are three choices files users select none and everything choose the one that is appropriate.
click ok to close dialog boxes.
then open the folder from another computer
and to make it available offline select Always available offline.