The following instructions will guide you through the basic setup needed for configuring Granular User Account Password Controls, this is the only way to create more then one password policy usable by Active Directory in Windows 2008 server.
[_] Windows 2008 Server
[_] ADSI Editor
[_] Active Directory Setup
1.Open the ADSI editor
2.Right click on the 'ADSI Edit' entry and select "Connect to..."
3.In the 'Connection Settings' popup complete the following section
__b.Then enter [OK]
4.Now that you have created the default instance, navigate down the tree as follows: 'DC=<domain>' -> 'CN=System' -> 'CN=Password Settings Container'
5.Right click on the container and select 'New' -> 'Object'
6. In the 'Create Object' popup
__a. Select "msDS-PasswordSettings" and click [Next]
__b. Common-Name; Value: "UserLevelPasswordSettings", [Next]
__c. PasswordSettingsPrecedence; Value: "10", [Next]
__d. PasswordReversible; Value: "FALSE", [Next]
__e. PasswordHistoryLength; Value: "10", [Next]
__f. PasswordComplexity; Value: "FALSE", [Next]
__g. MinimumPasswordLength; Value: "6", [Next]
__h. MinimumPasswordAge; Value: "00:00:00:00", [Next]
__i. MaximumPasswordAge; Value: "30:00:00:00", [Next]
__j. LockoutThreshold; Value: "3", [Next]
__k. LockoutObservationWindow; Value: "00:00:30:00", [Next]
__l. LockoutDuration; Value: "00:00:30:00", [Next]
__m. Click [Finish]
Application of settings
1. Right click on the new PSO you created and select 'Properties'
2. Locate the 'msDS-PSOAppliesTo' object, highlight and click [Edit]
3. In the new popup window select [Add Windows Account]
4. Add one of your user accounts to test the new settings
5. Click [OK] to close out and commit your changes
1. Confirm that you can now set a short 6 character password for the desired user account(s).
After you have confirmed that your settings are working you may add specific groups, or additional individual users as needed. Values above can be adjusted as needed for your specific user policy requirements.