Exchange Server 2007/2010: Managing And Filtering Anti-Spam Agent Logs

Exchange 2007 includes a number of anti-spam agents to filter spam. The anti-spam agents log their actions in (anti-spam) agent logs. The default agent log locations:

• Exchange 2010: \Exchange Server\V14\TransportRoles\Logs\AgentLog
• Exchange 2007: \Exchange Server\TransportRoles\Logs\AgentLog

Enable anti-spam functionality on a Hub Transport server

After you run the Install-AntispamAgents.ps1 script, restart the Microsoft Exchange Transport service, and set the InternalSMTPServers parameter.

  Run the Install-AntispamAgents.ps1 script

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Hub Transport server" entry in the Transport Permissions topic.



Run the following command from the %system drive%/Program Files\Microsoft\Exchange Server\V14\Scripts folder.
./install-AntispamAgents.ps1


After the script has run, restart the Microsoft Exchange Transport service by running the following command.
Restart-Service MSExchangeTransport

Agent Log Configuration

You can’t change the agent log location. Here are the available config options:

1. Enable/Disable agent log: On transport servers with anti-spam agents installed, agent logging is enabled by default. You can disable it by adding the AgentLogEnabled key, and setting it to FALSE.
2. Max file size: By default, the maximum file size of each agent log is 10 Mb (10485760 bytes). You can modify it by adding AgentLogMaxFileSize key and providing the desired value (in bytes). Parsing very large log files can be slower— the default max file size works for most deployments.
3. Max directory size:: By default, the size of the directory is capped at 250 Mb(262144000 bytes). You can modify it by adding the AgentLogMaxDirectorySize key and providing the desired value (in bytes). In a high volume environment, you must consider the volume of log files generated in a day, and determine the space required based on how many days’ worth of log files you want to retain for troubleshooting or to meet your organization’s retention requirements.
4. Agent log age: The age of a log is capped at 30 days. You can modify it by adding theAgentLogMaxAge key and providing the desired value. Logs are flushed when they’re older than the AgentLogMaxAge, or if the directory size reaches the AgentLogMaxDirectorySize(250 Mb by default), whichever happens first. If it’s important to maintain agent logs for a certain number of days, you must consider the volume of logs generated daily, and raise the AgentLogMaxDirectorySize if required.

Exchange 2007 RTM has only one configuration option for the agent log – that to enable or disable it. Exchange Server 2007 SP1 includes the additional configuration parameters listed above to control the max directory size, file size and age of agent logs added.

The agent log configuration parameters can be controlled by editing theEdgeTransport.exe.config file, located in \Exchange Server\Bin folder on Edge and Hub Transport servers.

Note, the key names in EdgeTransport.exe.config are case-sensitive.

Disable agent logging

To disable agent logging, insert the following key under  in the config file:

Modify agent log configuration

In the following example, we modify max directory size to 500 Mb, file size to 20 Mb, and age to 60 days, by creating new keys in EdgeTransport.exe.config:

Parsing the agent log

You can parse the agent log using the Get-AgentLog command from the shell.

By default, the Get-AgentLog cmdlet parses agent logs in the default location (\Exchange Server\TransportRoles\Logs\AgentLog). Depending on your troubleshooting and log retention requirements, you can move older files to an another location. To parse agent logs in an alternate location, you must specify the path. In this example, the agent logs have been copied to Z:\Antispam Agent Logs directory:

Get-AgentLog -location “Z:\AntiSpam Agent Logs”

Agent log format and fields

Agent log file names are named AGENTLOGyyyymmdd-nnnn.log. It’s easy to decipher yyyy stands for the year, mm is the month, and dd is the date. The nnnn is a serial number, starting at 0001, rolled over when more than one log is generated in a day. The date is UTC.

Each agent log starts with the following header fields:

#Software: Microsoft Exchange Server
#Version: 8.0.0.0
#Log-type: Agent Log
#Date: 2010-08-07T00:00:01.500Z
#Fields: Timestamp,SessionId,LocalEndpoint,RemoteEndpoint,EnteredOrgFromIP,
MessageId,P1FromAddress,P2FromAddresses,Recipient,NumRecipients,
Agent,Event,Action,SmtpResponse,Reason,ReasonData,Diagnostics

Here’s what an entry in the agent log looks like, as output by the Get-AgentLog cmdlet. Note, not all fields are displayed by default when you use the cmdlet:

Timestamp : 4/16/2007 12:39:49 AM
SessionId : 08C948C83FB951AC
IPAddress : 72.46.133.113
MessageId :
P1FromAddress : ret@noncornelan.com
P2FromAddresses : {}
Recipients : {foo@yourdomain.com}
Agent : Connection Filtering Agent
Event : OnRcptCommand
Action : RejectCommand
SmtpResponse : 550 5.7.1 Recipient not authorized, your IP has been found on a block list
Reason : BlockListProvider
ReasonData : Spamhaus SBL-XBL
Diagnostics :

As seen in the above output, the logs provide adequate information for reporting on anti-spam activity, as well as for troubleshooting anti-spam issues like messages not being received/wrongly filtered out.

Getting to know the agent logs will make troubleshooting such issues much easier.

Searching agent logs

By default, the Get-AgentLog command returns all the entries in the agent logs. This can take a long time and results in all entries scrolling by quickly in your shell window. The only filtering options available with the Get-AgentLog cmdlet are start and end dates.

Filter by date and time

Agent logs can be constrained to a particular date and time – the recommended way to perform most agent log searches, unless you want to immerse yourself in 30 days (or 250 Mb) of anti-spam goodness! This is done using the -StartDate and -EndDate parameters, as shown in this example:

Get-AgentLog -StartDate “4/16/2007″ -EndDate “4/17/2007″

You can also constrain it further by adding time of the day:

Get-AgentLog -StartDate “4/17/2007 8:00 AM” -EndDate “4/17/2007 2:00 PM”

Search messages by recipients and senders

Although the Get-AgentLog command only takes these 3 parameters – location, StartDate, and EndDate, you can further filter the logs using most of its logged fields by using pipelining.

To filter the log to show messages to a particular recipient:

Get-AgentLog -StartDate “4/16/2007″ -EndDate “4/17/2007″ | where {$_.recipients -like “foo@yourdomain.com”}

To search for messages from a particular sender:

Get-AgentLog -StartDate “4/16/2007″ -EndDate “4/17/2007″ | where {$_.P1FromAddress -like “aqe@easymoney2u.com” -or $_.P2FromAddresses -like “aqe@easymoney2u.com”}

Search messages from a sender domain

To search for messages from a particular domain:

Get-AgentLog -StartDate “4/16/2007″ -EndDate “4/17/2007″ | where {$_.P1FromAddress -like “*somedomain.com” -or $_.P2FromAddress -like “*somedomain.com”}

Search messages filtered by a specified anti-spam agent

To filter by the anti-spam agent that acted on a message, e.g. Connection Filtering Agent:

Get-AgentLog -StartDate “4/15/2007″ -EndDate “4/17/2007″ | where {$_.Agent -eq “Connection Filtering Agent”}

Similarly, you can filter by other agents that write to the agent logs: 1) Content Filter Agent 2) SenderID agent 3) Sender Filter agent 4) Recipient Filter agent and 5) Edge Rules agent.

Searching by IP address

To filter agent logs by the sending host’s IP address, use the following command:

Get-AgentLog -StartDate “4/15/2007″ -EndDate “4/17/2007″ | where {$_.IPAddress -eq “72.46.133.113″}

Search messages blocked by RBLs

The reason field in each log entry specifies the reason supplied by the anti-spam agent that takes the action. For instance, as seen in the agent log entry shown earlier in this article, the agent that acted on the message is the Connection Filtering Agent, the reason isBlockListProvider (i.e. “RBL” or “Real-time Block List”, known as IP Block Lists in Exchange Server 2007). The ReasonData field gives you the name of the IP Block List Provider, as configured in Exchange. In the above agent log entry, it is “Spamhaus SBL-XBL”. To constrain the search for messages blocked by IP Block List Providers:

Get-AgentLog -StartDate “4/15/2007″ -EndDate “4/17/2007″ | where {$_.Reason -eq “BlockListProvider”}

To get a list of all IP addresses blocked by IP Block List Providers:

Get-AgentLog -StartDate “12/21/2007″ | where {$_.Reason -eq “BlockListProvider”} | ft Timestamp,IPAddress,ReasonData

You can also look for messages blocked by a particular IP Block List Povider:

Get-AgentLog -StartDate “4/15/2007″ -EndDate “4/17/2007″ | where {$_.ReasonData -eq “Spamhaus SBL-XBL”}

Search by SCL thresholds

For messages scanned by the Content Filter Agent, the Reason field contains details likeSCLAtOrAboveDeleteThreshold, SCLAtOrAboveRejectThreshold, etc. The ReasonData field contains the SCL value assigned to the message. To get a list of messages above the SCLDeleteThreshold, use the following command:

Get-AgentLog -StartDate “4/15/2007″ -EndDate “4/17/2007″ | where {$_.reason -eq “SCLAtOrAboveDeleteThreshold”}

As shown in the above examples, you can use the Get-AgentLog command and pipe the data to filter it based on the fields logged. You can get more details about agent logs – including the fields logged, from the Managing Agent Logging section in Exchange Server 2007 documentation.

Unexpected error refreshing Server Manager-errors 0x800706BE and 1601 on Window Server 2008 R2

On certain Windows Server 2008 R2 machines you may experience the Server Manager being unable to open Roles and/or Features in the MMC. The error it usually comes back with is Unexpected error refreshing Server Manager: The remote procedure call failed. (Exception from HRESULT: 0x800706BE). You may also find that there is also Error 1601 in the Event Log.

Introduction

On certain Windows Server 2008 R2 machines you may experience theServer Manager being unable to open Roles and/or Features in the MMC.  The error it usually comes back with is Unexpected error refreshing Server Manager: The remote procedure call failed. (Exception from HRESULT: 0x800706BE). 

Certain people have also reported finding that there is also an error being logged in the event log – Error 1601.  Various reasons lead us to believe that this is an issue related to file corruption.  More specifically, file corruption caused by failed Windows Updates.

If your Server Manager is crashing and you’re unable to add Roles or Features this article will talk you through a number of steps which may help you resolve the issue.

Step 1 – Download & Install System Update Readiness Tool (KB947821)

The first step in trying to diagnose this is to download and install KB947821 on the server which is having the problem with System Manager and generating the 0x800706BE refresh error.  You can download it from http://support.microsoft.com/kb/947821

The System Update Readiness Tool, runs a onetime scan for inconsistencies that might prevent future servicing operations. This scan typically takes less than 15 minutes to run. However, the tool might take significantly longer on some computers. The Windows Update progress bar is notupdated during the scan, and progress seems to stop at 60% complete for some time. This behavior is expected. The scan is still running and you should not cancel the update.  If you are prompted to restart your computer, do so.

Step 2 – Analyze KB947821 output log file

After you install KB947821 on your computer, you need to inspect the output log file it left behind.  You can find the file in: C:\Windows\Logs\CBS\CheckSUR.log

The log should show what files have been detected as corrupt or missing from/in the C:\windows\servicing\packages folder.  For instance, on our test machine they were shown as:

2010-10-07 09:30:43, Info                  CBS    Failed to get session package state for package: Package_3_for_KB975467~31bf3856ad364e35~amd64~~6.1.1.0 [HRESULT = 0x80070490 - ERROR_NOT_FOUND]
2010-10-07 09:30:43, Info                  CBS    Failed to get session package state for package: Package_2_for_KB975467~31bf3856ad364e35~amd64~~6.1.1.0 [HRESULT = 0x80070490 - ERROR_NOT_FOUND]

You might also want to have a look at the CheckSUR.persist.log. In our case it looked like this:

=================================
Checking System Update Readiness.
Binary Version 6.1.7600.20593
Package Version 7.0
2010-04-14 09:56

Checking Windows Servicing Packages

Checking Package Manifests and Catalogs
(f) CBS MUM Corrupt 0x00000000 servicing\Packages\Package_for_KB976264_RTM~31bf3856ad364e35~amd64~~6.1.2.0.mum  Expected file name Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.mum does not match the actual file name

Checking Package Watchlist

Checking Component Watchlist

Checking Packages

Checking Component Store

Summary:
Seconds executed: 72
 Found 1 errors
  CBS MUM Corrupt Total count: 1

Unavailable repair files:
 servicing\packages\Package_for_KB976264_RTM~31bf3856ad364e35~amd64~~6.1.2.0.mum
 servicing\packages\Package_for_KB976264_RTM~31bf3856ad364e35~amd64~~6.1.2.0.cat

(w) Unable to get system disk properties 0x0000045D IOCTL_STORAGE_QUERY_PROPERTY Disk Cache

We also checked the servermanager.log and found that the CbsUpdateState.bin file in the C:\Windows\system32\ServerManager\Cache\ folder is missing.

4652: 2010-10-14 17:43:53.856 [Provider]                  C:\Windows\system32\ServerManager\Cache\CbsUpdateState.bin does not exist.
4652: 2010-10-14 17:43:53.965 [CBS]                       IsCacheStillGood: False.
4652: 2010-10-14 17:44:13.356 [CBS] Error (Id=0) Function: 'CreateSessionAndPackage()->Session_OpenPackage' failed: 800706be (-2147023170)
4652: 2010-10-14 17:44:13.419 [ExceptionHandler] Error (Id=0) An unexpected exception was found:
System.Runtime.InteropServices.COMException (0x800706BE): The remote procedure call failed. (Exception from HRESULT: 0x800706BE)
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
at Microsoft.Windows.ServerManager.ComponentInstaller.CreateSessionAndPackage(IntPtr& session, IntPtr& package)
at Microsoft.Windows.ServerManager.ComponentInstaller.InitializeUpdateInfo()
at Microsoft.Windows.ServerManager.ComponentInstaller.Initialize()
at Microsoft.Windows.ServerManager.Common.Provider.RefreshDiscovery()
at Microsoft.Windows.ServerManager.LocalResult.PerformDiscovery()
at Microsoft.Windows.ServerManager.ServerManagerModel.CreateLocalResult(RefreshType refreshType)
at Microsoft.Windows.ServerManager.ServerManagerModel.InternalRefreshModelResult(Object state)

Step 3 – Copy missing or corrupt files

In order to perform this step, you’ll need access to a machine which has a working ServerManager.  Copy the files listed as corrupted/missing from C:\windows\servicing\packages on the working machine to the server which is exhibiting the HRESULT 0x800706BE error.  You may need to change the ownership of the files on the destination machine to your user account as well as give yourself write permissions on the files before Windows allows you to overwrite them.

Once done, start Server Manager and see if that fixes the error.  To be doubly sure, check the contents of the C:\Windows\system32\ServerManager\Cache folder – there should be two files there: CbsUpdateInfo.bin and CbsUpdateState.bin.  If these files still don’t exist after ServerManager starts you haven’t completely fixed the 0x800706BE error.

Step 4 – Copy all files in C:\windows\servicing\packages folder

If you’re still unable to get Server Manager started, it means that there may be other problems and we need to overwrite all the packages in the C:\windows\servicing\packages folder.  The first step we need to do is take ownership of all the files.  To do this, launch a Command Prompt as an Administrator, and I mean right click the Command Prompt icon and select Run As Administrator.  At the command prompt execute:

takeown /F c:\Windows\Servicing\Packages /D y /R

The takeown command will give you ownership of the files, but you still need to give yourself write access to the files in order to change them.  In the same command prompt window execute the following command: (replace username with your username)

cacls c:\Windows\Servicing\Packages /E /T /C /G "username":F

Now copy all the files from the C:\windows\servicing\packages folder on a working server.  Make sure that the source server has been patched to the same level and has the same roles/features installed as the destination server.

Step 5 – Start Server Manager and check Cache folder

Try starting Server Manager and check if you’re still getting the error.  In all our tests, the above steps have been able to resolve 99% of all Server Manger problems related to error 0x800706BE and 1601.  Jus to be on the safe side, check the contents of the C:\Windows\system32\ServerManager\Cache folder and see that the two .bin files are now visible.

Conclusion

This article has demonstrated a quick and easy way to solve the errors associated with ServerManager and the 0x800706BE and 1601 errors that it exhibits when trying to install Roles or Features.  If the problem is not resolved by applying Microsoft KB947821, we have shown a reliable way to fix the 0x800706BE and 1601 errors by copying all files in C:\windows\servicing\packages from anther working Windows Server 2008 R2 server.

References

System Update Readiness Tool (KB947821)
http://support.microsoft.com/kb/947821

Advanced guidelines for diagnosing and fixing servicing corruption
http://technet.microsoft.com/en-us/library/ee619779%28WS.10%29.aspx

Hyper-V Sicherung mittels Powershell Script

Sicherung ist eines der meist vernachlässigsten und dennoch wichtigsten Aufgaben in der IT. Hand aufs Herz, nachdem man eine virtuelle Maschine laufen hat, kann es schon mal vorkommen das man das Sichern vergisst. Damit das in unseren Projekten nicht passiert, haben wir nach einer Lösung gesucht, die es uns mit Bordmitteln ermöglicht, ein konsistentes Backup einer Hyper-V VM zu fahren. Vorweg aber etwas das uns sehr am Herzen liegt:

Da Daten und deren Sicherungen für Unternehmen einen existenziellen Wert darstellen, möchten wir hier ausdrücklich darauf hinweisen, dass wir für die hier bereitgestellten Skripte und Methoden  keinerlei Haftung übernehmen und Sie diese auf eigene Gefahr einsetzen.

Wie sieht nun unsere Methode aus? Hyper-V bringt seit der ersten Version die Möglichkeit mit sich eine VM zu exportieren. Bei diesem Vorgang werden die kompletten Daten, d. h. die Platten (VHDs), die Snapshots (falls vorhanden) und die Konfiguration, in einem Format in ein Verzeichnis kopiert,  so dass diese jederzeit auf einen anderen Host kopiert und wieder importiert werden können. Daraus kann sich ein Problem ergeben: Da die Daten kopiert werden, und das nur auf einer Platte des Hosts passieren kann (keinem Netzlaufwerk), benötigt die Maschine mindestens den gleichen freien Plattenplatz, wie die gesamte VM belegt.

Weiterhin kann die VM beim Exportvorgang nicht laufen, das heißt sie ist entweder heruntergefahren (was wir präferieren) oder sie ist zumindest gespeichert. Diese Ausfallzeit der VM kann, je nach Größe der VHDs und Snapshots, schon einige Minuten dauern. Als Beispiel dauert der Export unseres Exchange Server mit ca. 80 GB um die 30 Minuten. Natürlich möchten wir den Exportvorgang nicht von Hand anstoßen, sondern automatisieren. Deswegen haben wir uns ein PowerShell Script geschrieben, das mittels Aufgabenplaner in regelmäßigen Interwallen diesen Exportvorgang durchführt. Wenn Sie möchten kopiert dann dieses Script, nach Abschluss des Exportvorgangs, die Daten auf einen beliebigen Netzwerkpfad, damit die Daten nicht nur auf dem Host liegen.

Hier der grobe Ablauf des Scripts:

1. Maschine herunterfahren oder schlafen legen
2. Exportvorgang auf lokalen Datenträger
3. Maschine starten oder aufwecken
4. Gegebenenfalls den Export auf Netzwerkfreigabe kopieren

Damit unser PowerShell Script funktioniert, benötigen wir die PSHyperv Library die James O’Neill entwickelt und unter  CodePlex (Download unter http://www.codeplex.com/psHyperV) frei zur Verfügung stellt.  Achtung: die aktuelle Version funktioniert nur mit der PowerShell V2, allerdings auf beiden Hyper-V Varianten. Zum reibungslosen Installieren der Library sind folgende Schritte vorab durchzuführen:

1. Sie laden das ZIP-Archive in ein Verzeichnis (z.B. C:\Temp) herunter
2. Sie wenden das Sysinternal Tool “streams” an, um die Kenzeichnung, dass die Datei aus dem Internet geladen wurde (“Zone.Identifier”), zu entfernen
3. Sie entpacken das Archive in einem temporären Verzeichnis (z.B. c:\Temp)

Danach führen Sie die Installation des Library durch: Rechtsklick auf das “install.cmd” Script und auswählen “Als Administrator ausführen”. Jetzt werden Sie gefragt, ob Sie “.Net Framework 2” und “PowerShell” installiert haben. Ist das nicht der Fall, dann brechen Sie bitte die Installation ab und holen dieses nach.Erfüllen Sie alle Voraussetzungen, dann drücken Sie “Enter” und das Script kopiert die Library und nimmt alle erforderlichen Einstellungen vor. In dem Screenshot sehen Sie zwei Fehler, die auf einer nicht Core Installation auftreten. Diese Fehler können Sie ignorieren und bestätigen einige weitere Male die Installationsschritte.

Nach erfolgreicher Installation sollte ein Powershell-Fenster aufgehen, indem Sie die Installation mit dem PowerShell Befehl:

get-command –module HyperV

überprüfen können.

Nach der erfolgreichen Installation der PsHyperV Bibliothek laden Sie unser PowerShell Script “HyperV-Backup.ps1” herunter (die aktuelle Version finden Sie am Ende des Artikels). Das ZIP Archive entpacken Sie in einem Verzeichnis z.B. “C:\Tools”. Auch hier sollten Sie das Sysinternal Tool “streams” anwenden, damit Powershell das Script ausführen kann.

Einen ersten Überblick über die Scriptoptionen erhalten Sie, wenn sie das Script nun aus einer Powershell (Achtung Administratoren Rechten erforderlich) mit dem Argument “-?” oder “-help” aufrufen z.B.: “C:\Tools\HyperV-Backup.ps1 –?”. Als Hilfestellung für den Einsatz gebe ich im folgenden einige Beispiele, wie Sie dieses Script benutzen können:

1. lokaler Export eines VMs:

C:\Tools\HyperV-Backup.ps1 –VM W2K8-VM –ExportPath D:\Exports

Schritte die das Script ausführt:

1. die VM "W2K8-VM” wird heruntergefahren
2. Sie wird in das Verzeichnis C:\Exports\W2K8-VM exportiert und ein dort gegebenenfalls vorhandener alter Export gelöscht
3. die VM wird wieder gestartet

2. lokaler Export einer VM mit Kopie auf Sicherungsserver:

C:\Tools\HyperV-Backup.ps1 –VM W2K8-VM –ExportPath
D:\Exports  -RemotePath \\Storage\Sicherung$ –verbose

Schritte die das Script ausführt:

1. die VM "W2K8-VM” wird heruntergefahren
2. Sie wird in das Verzeichnis C:\Exports\W2K8-VM exportiert und ein dort gegebenenfalls vorhandener alter Export gelöscht
3. die VM “W2K8-VM” wird wieder gestartet
4. Der Export wird in die Netzwerkfreigabe “\\Storage\Hyper-V-Sicherungen$\W2K8-VM” kopiert und ein dort gegebenenfalls vorhandener alter Export gelöscht
5. Die Export unter “D:\Exports\W2K8-VM” wird gelöscht

Zusätzlich gibt das Script, wegen des Schalters –verbose einige Informationen auf der Konsole aus.

3. remote Export mit Kopie auf Sicherungsserver:

C:\Tools\HyperV-Backup.ps1 –VM Debian1-VM –Server Hyperv5
–ExportPath D:\Exports  -SaveState -RemotePath
\\Storage\Sicherung$ –verbose

Schritte die das Script ausführt:

1. die VM "Debian1-VM” wird gespeichert (Option –SaveState)
2. Sie wird in das Verzeichnis D:\Exports\Debian1-VM exportiert und ein dort gegebenenfalls vorhandener alter Export gelöscht
3. die VM “Debian1-VM” wird wieder aufgeweckt
4. Der Export wird in die Netzwerkfreigabe “\\Storage\Hyper-V-Sicherungen$\Debian1-VM” kopiert und ein dort gegebenenfalls vorhandener alter Export gelöscht
5. Die Export unter “D:\Exports\W2K8-VM” wird gelöscht

Zusätzlich gibt das Script wegen des Schalters –verbose einige Informationen auf der Konsole aus.

Nun sollte es ein leichtes sein, mit Hilfe der Windows Aufgabenplanung lokale und auch remote HyperV VMs zu exportieren.

Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008

This step-by-step guide provides instructions for configuring, applying and editing fine-grained password and account lockout policies for different sets of users in Windows Server 2008.

In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, you could apply only one password and account lockout policy, which is specified in the domain's Default Domain Policy, to all users in the domain. As a result, if you wanted different password and account lockout settings for different sets of users, you had to either create a password filter or deploy multiple domains.

Fine-Grained Passwords in Windows Server 2008

In Windows Server 2008, you can use fine-grained password policies to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain. For example, to increase the security of privileged accounts, you can apply stricter settings to the privileged accounts and then apply less strict settings to the accounts of other users.

Another valid application for using fine-grained password policies, are situations where legacy applications or other data sources require password synchronization.  These situations may require us to relax certain aspects of password complexity or length.

Step-By-Step Configuration of Fine-Grained Passwords in Windows Server 2008

I find it’s best to work with an example to demonstrate a solution, so in this case we will assume that you have a number of users who are Special Administrators and require a stronger password group policy than the standard user.  We will refer to these users as SpecialAdmins

In the following steps, we will configure a fine-grained password policy in Windows Server 2008 with the following settings:

Policy Name	Policy Setting
Enforce password history	24 passwords remembered
Maximum password age	30 days
Minimum password age	1 day
Minimum password length	12 characters
Passwords must meet complexity requirements	Disabled
Account lockout duration	0
Account lockout threshold	3
Reset account lockout counter after	30 minutes

Table 1: Password Policy

Note: yourdomainname in the following steps should be replaced with the NETBIOS name of your domain.

1. Logon to a Windows Server 2008 domain controller using an account that has membership in the Domain Admins group, or equivalent permissions.
2. Go to Start, Administrative Tools, and then select Active Directory Users and Computers
   
   
   
3. Expand yourdomainname.com, right-click on the Users container, select New, and then select Group.
4. On the New Object - Group window, enter SpecialAdmins into the Group Name field, and then click OK
   
   
   
5. Close Active Directory Users and Computers
6. Click Start, click RUN, type ADSIEDIT.MSC, and then click OK
   
   
7. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to
8. In the Name field, enter yourdomainname.com, and then click OK
9. Double-click yourdomainname.com in the console tree, double-clickDC=yourdomainname,DC=com, double-click CN=System, and then click CN=Password Settings Container
   
   
10. Right-click CN=Password Settings Container in the console tree, click New, and then clickObject
    
    
    
11. In the Create Object dialog box, under Select a class, click msDC-PasswordSettings, and then click Next.
    
    
    
12. In the Create Object dialog box, enter SpecialAdmins in the Value field, and then clickNext.
    
    
    
13. For the msDS-PasswordSettingsPrecedence value, enter 1, and then click Next
    
    
    
14. For the msDS-PasswordReversibleEncryptionEnabled value, enter false, and then clickNext
    
    
    
15. For the msDS-PasswordHistoryLength value, enter 24, and then click Next
    
    
    
16. For the msDS-PasswordComplexityEnabled value, enter false, and then click Next
    
    
    
17. For the msDS-MinimumPasswordLength value, enter 12, and then click Next
    
    
    
18. For the msDS-MinimumPasswordAge, enter 1:00:00:00, and then click Next
    
    
    
19. For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click Next
    
    
    
20. For the msDS-LockoutThreshold, enter 3, and then click Next
    
    
    
21. For the msDS-LockoutObservationWindow, enter 0:00:30:00, and then click Next
    
    
    
22. For the msDS-LockoutDuration, enter (never), and then click Next, then click Finish
    
    
    
23. Right-click on CN=SpecialAdmins in the console tree, and then select Properties
    
    
    
24. On the CN=SpecialAdmins Properties window, select the msDS-PSOAppliesTo attribute, and then click the Edit button
    
    
    
25. On the Multi-valued Distinguished Name With Security Principal Editor window, click on the Add Windows Account button
    
    
    
26. On the Select Users, Computers, or Groups window, enter SpecialAdmins in the Enter the object names to select field, and then click OK
    
    
    
27. Click OK on the Multi-valued Distinguished Name With Security Principal Editor window
28. Click OK on the CN=SpecialAdmins Properties window
    
    

Conclusion

This step-by-step guide demonstrated how to configure fine-grained passwords in WindowsServer 2008.  We defined a number of password settings and applied it to a Active Directory Group.  From now on, all user members of the group will be applied with the custom password policy.

References

What is the function of the msDS-LockoutDuration element of the fine-grain account lockout policy?
http://www.ucertify.com/article/what-is-the-function-of-the-msds-lockoutduration-element-of-the-fine-grain-account-lockout-policy.html

AD DS Fine-Grained Password and Account Lockout Policy
http://technet.microsoft.com/en-us/library/cc770842.aspx

Active Directory Domain Services
http://technet.microsoft.com/en-us/library/cc770357.aspx

Windows Domain Password Policies
http://technet.microsoft.com/en-us/magazine/cc137749.aspx