PreviousNext

ANIXIS Web Site

Password Policy Enforcer

Automated Installation (Advanced Setup)

An automated installation uses Group Policy to automatically install PPE on every domain controller. It will take you approximately 15 minutes to set up the automated installation, so this option is only recommended for networks with more than five domain controllers.

Create a Distribution Point

A distribution point can either be a UNC path to a server share, or a DFS (Distributed File System) path. Organizations with large, multi-site networks should use DFS as it offers fault tolerance and load sharing.

To create a PPE distribution point:

  1. Log on to a server as an administrator.
  2. Create a shared network folder to distribute the files from.
  3. Give the "Domain Controllers" security group read access to the share, and limit write access to authorized personnel only.

Copy PPE61.msi into the Distribution Point

  1. Start the PPE installer (PPE61.exe).
  2. Read the license agreement carefully, and then click Yes if you accept all the license terms and conditions.
  3. Select the Advanced option, and then click Next.
  4. Right-click the PPE61.msi icon, click Copy, and then paste the file into the distribution point.

  5. Give the "Domain Controllers" security group read access to the PPE61.msi file in the distribution point.
  6. Click Finish.

Create a Group Policy Object

If you are using Windows 2008 or 2003 with the Group Policy Management Console:

  1. Start the Group Policy Management Console (gpmc.msc).
  2. Expand the forest and domain items in the left pane.
  3. Right-click the Domain Controllers OU in the left pane, and then click Create and Link a GPO Here... (Create a GPO in this domain, and Link it here... on Windows 2008).
  4. Type "Password Policy Enforcer", and then press ENTER.

If you are using Windows 2000 or 2003 without the Group Policy Management Console:

  1. Start the Active Directory Users and Computers Console (dsa.msc).
  2. Right-click the Domain Controllers OU in the left pane, and then click Properties.
  3. Click the Group Policy tab, and then click New.
  4. Type "Password Policy Enforcer", and then press ENTER.

Edit the Group Policy Object

  1. Right-click the Password Policy Enforcer GPO, and then click Edit.
  2. Expand the Computer Configuration, Policies (Server 2008 only), and Software Settings items.
  3. Right-click the Software installation item, and then select New > Package.
  4. Type the full UNC path to PPE61.msi in the Open dialog box. You must enter a UNC path so that other computers can access this file over the network. For example, \\file server\distribution point share\PPE61.msi
  5. Click Open.
  6. Select the Assigned deployment method, and then click OK.

  7. Close the Group Policy Object Editor.

Complete the Installation

Restart each domain controller to complete the installation. Windows installs PPE during startup, and then immediately restarts the computer a second time to complete the installation.

PPE will not enforce a password policy at this time because no policies are defined. Users can still change their password, and will only need to comply with the Windows password policy rules (if enabled).

Disable the Windows Password Policy Rules

The Windows password policy rules can place restrictions on password history, age, length, and complexity. If you enable the PPE rules and the Windows rules, then users will have to comply with both sets of rules.

PPE has its own History, Minimum Age, Maximum Age, Length, and Complexity rules. You can use the PPE and Windows rules together, but it is easier to disable the Windows rules and use the PPE rules instead. To disable the Windows password policy rules:

  1. Use the Group Policy Management Console, or Active Directory Users and Computers Console to display the GPOs linked at the domain level.
  2. Right-click the Default Domain Policy GPO (or whichever GPO you use to set your domain password policy), and then click Edit.
  3. Expand the Computer Configuration, Policies (Server 2008 only), Windows Settings, Security Settings, Account Policies, and Password Policy items.
  4. Double-click Enforce password history in the right pane of the GPO Editor. Type 0 in the text box, and then click OK.
  5. Double-click Maximum password age in the right pane. Type 0 in the text box, and then click OK.
  6. Double-click Minimum password age in the right pane. Type 0 in the text box, and then click OK.
  7. Double-click Minimum password length in the right pane. Type 0 in the text box, and then click OK.
  8. Double-click Password must meet complexity requirements in the right pane. Select the Disabled option, and then click OK.
  9. Close the Group Policy Object Editor.

© Copyright 1998 - 2011 ANIXIS.
All rights reserved.
PreviousNext