1
00:00:01,040 --> 00:00:02,120
In this demonstration,

2
00:00:02,120 --> 00:00:06,630
we're going to look at fine‑grained Password Policy and Active

3
00:00:06,630 --> 00:00:10,730
Directory Domain Services. We'll look at the Protected Users group in

4
00:00:10,730 --> 00:00:14,670
Azure AD Password Protection. You're looking at the desktop of a

5
00:00:14,670 --> 00:00:18,040
Windows Server 2022 domain controller.

6
00:00:18,040 --> 00:00:20,940
And I'm just going to start right in here. We'll go into

7
00:00:20,940 --> 00:00:23,740
Active Directory Users and Computers.

8
00:00:23,740 --> 00:00:26,170
And if we come down to Users container,

9
00:00:26,170 --> 00:00:29,530
we've got the Protected Users global group.

10
00:00:29,530 --> 00:00:32,070
As you can see, it's a global security group.

11
00:00:32,070 --> 00:00:35,290
The description is that members of this group are afforded additional

12
00:00:35,290 --> 00:00:38,670
protections, and then there's a link to learn more about that.

13
00:00:38,670 --> 00:00:43,870
So again, the idea is that your high value groups, as long as they're for humans,

14
00:00:43,870 --> 00:00:44,450
remember,

15
00:00:44,450 --> 00:00:50,290
we don't want to apply no delegation, no Kerberos extended ticket durations

16
00:00:50,290 --> 00:00:54,680
and that kind of stuff, we don't want to put those restrictions on our group

17
00:00:54,680 --> 00:00:57,270
managed service accounts or computer accounts.

18
00:00:57,270 --> 00:01:00,920
This would just be for interactive high privilege user and

19
00:01:00,920 --> 00:01:03,650
group identities. It's as simple as that.

20
00:01:03,650 --> 00:01:09,670
So, we've got that group. It's just a fast way to efficiently improve the

21
00:01:09,670 --> 00:01:13,070
security posture of those high value groups and users.

22
00:01:13,070 --> 00:01:13,800
Okay,

23
00:01:13,800 --> 00:01:17,360
let me minimize Users and Computers, and let's go to Group

24
00:01:17,360 --> 00:01:20,990
Policy Management. And here I just want to quickly review.

25
00:01:20,990 --> 00:01:23,140
We'll go to Default Domain Policy.

26
00:01:23,140 --> 00:01:25,840
I showed you this in the previous lesson, and again,

27
00:01:25,840 --> 00:01:29,860
you've probably done this in industry 100 times, at least I hope so.

28
00:01:29,860 --> 00:01:34,340
We go under Computer Configuration, Policies, Windows Settings.

29
00:01:34,340 --> 00:01:38,690
We've got our Security Settings where this is our main source

30
00:01:38,690 --> 00:01:43,360
of control for server and client level system security. In

31
00:01:43,360 --> 00:01:47,200
particular, we've got our Password Policy, our Account Lockout

32
00:01:47,200 --> 00:01:49,640
Policy, our Kerberos Policy.

33
00:01:49,640 --> 00:01:52,670
And then under Local Policies, we have our User Policy,

34
00:01:52,670 --> 00:01:55,540
User Rights Assignment, and Security Options.

35
00:01:55,540 --> 00:01:59,190
And as I had mentioned, in terms of domain password policy,

36
00:01:59,190 --> 00:02:01,580
that's normally where that would live, in the Default

37
00:02:01,580 --> 00:02:05,040
Domain Policy Group Policy object.

38
00:02:05,040 --> 00:02:05,490
However,

39
00:02:05,490 --> 00:02:09,440
what if we have groups that have different security

40
00:02:09,440 --> 00:02:11,750
requirements in terms of passwords?

41
00:02:11,750 --> 00:02:15,540
Let me actually go back to Users and Computers for a moment.

42
00:02:15,540 --> 00:02:16,070
Let's see.

43
00:02:16,070 --> 00:02:19,710
I've got an organizational unit called Staff, and I have a

44
00:02:19,710 --> 00:02:22,610
security group called Accounting. Who's in there? Looks like

45
00:02:22,610 --> 00:02:23,900
there's nobody in there yet.

46
00:02:23,900 --> 00:02:29,040
Let me add in my Pat Colleague user, just so there's somebody in there.

47
00:02:29,040 --> 00:02:34,020
And let's say that this group, maybe because they're dealing with financials,

48
00:02:34,020 --> 00:02:39,040
we want them to have different password properties than the rest of the domain.

49
00:02:39,040 --> 00:02:42,100
This would be a good use case for fine‑grained

50
00:02:42,100 --> 00:02:44,730
password policy. Now, unfortunately,

51
00:02:44,730 --> 00:02:47,280
fine‑grained password policy is one of those things

52
00:02:47,280 --> 00:02:49,400
that requires a special tool.

53
00:02:49,400 --> 00:02:54,030
We can't do that within ADUC, Active Directory Users and Computers.

54
00:02:54,030 --> 00:02:56,930
So as you can see, I have Active Directory Administrative

55
00:02:56,930 --> 00:02:59,540
Center all loaded up and ready to go.

56
00:02:59,540 --> 00:03:04,740
The way we create fine‑grained password policy is by defining password

57
00:03:04,740 --> 00:03:09,550
containers, and we can do that here in ADAC, Active Directory Administrative

58
00:03:09,550 --> 00:03:15,240
Center, by navigating into our domain, coming down to the System Container,

59
00:03:15,240 --> 00:03:18,540
and then down to Password Settings Container.

60
00:03:18,540 --> 00:03:21,040
And then I'm going to right‑click within that window

61
00:03:21,040 --> 00:03:23,820
and go to New, Password Settings.

62
00:03:23,820 --> 00:03:26,040
And let's maximize this window.

63
00:03:26,040 --> 00:03:31,940
I'm going to call this Accounting‑Group‑PW‑Settings.

64
00:03:31,940 --> 00:03:33,320
And like I said before,

65
00:03:33,320 --> 00:03:36,870
there's precedence values here that if it turns out there's more than

66
00:03:36,870 --> 00:03:41,430
one associated password settings object for a group, the one with the

67
00:03:41,430 --> 00:03:44,340
highest precedence would take effect.

68
00:03:44,340 --> 00:03:46,450
And I'm not going to adjust any of these settings.

69
00:03:46,450 --> 00:03:49,140
I just want to review with you.

70
00:03:49,140 --> 00:03:53,270
We've got our traditional Group Policy‑based controls. Minimum

71
00:03:53,270 --> 00:03:55,900
password length, complexity requirements,

72
00:03:55,900 --> 00:03:59,520
reversible encryption, just your traditional stuff there.

73
00:03:59,520 --> 00:04:02,580
And notice that for convenience we can optionally layer

74
00:04:02,580 --> 00:04:05,040
in Account Lockout Policy as well.

75
00:04:05,040 --> 00:04:06,870
So that's really about it.

76
00:04:06,870 --> 00:04:08,640
It's pretty basic stuff.

77
00:04:08,640 --> 00:04:13,420
And then lastly directly applies to, let's click Add, and here what I want

78
00:04:13,420 --> 00:04:16,890
you to see in the filter is we've got Groups and Users.

79
00:04:16,890 --> 00:04:24,000
Of course, it makes the most sense to do Group. So I'm going to do a search in my Active Directory domain for accounting.