Following the introduction of Windows-based systems into our virtual environment in Lab 3, this final individual lab takes the base Microsoft administrative technologies put in place such as Active Directory, and pushes them forward with more advanced systems administration features. The major new additions to the infrastructure are Group Policy and fine-grained password policies where users, computers, and groups are given a more personalized as well as secure computing experience based on the role and importance those objects play in the overall infrastructure. I found the information as well as skills learned in this lab invaluable due to how important Group Policy is to Active Directory and how end systems as well as users are …show more content…
Due to the variable scope that each PSO has, an important part of any enterprise is planning out the password policies in detail and how they differ from one another as well as why. My most broad PSO, the domain-wide policy, was also my least restrictive policy. I purposefully set it this way because any user or security group containing users that need the extra security that comes from PSO’s should have its own separate PSO defined, meaning that the domain-wide policy would be beaten by the lower precedence of the more specific policy. Due to this, I was very liberal with my settings in this PSO by making a lower password length requirement of 6 characters and a quite high number of 42 days for the maximum password age. I also made it very easy for these users to change their passwords if desired with only a 1 day wait minimum after the previous password change. Settings get a bit tighter at the group level, as a security group is usually made up of users who have a very specific purpose and need a specific level of security attached to them. For the group PSO, I bumped up the minimum character limit to 8 characters and forced users to wait a minimum of 5 days before being allowed to change a password again. Another change at this level is the time that the account is locked out for, which is approximately one hour. Certain settings are carried over though that I felt did not really need to be changed, such as keeping a record of the last 24 passwords for when passwords need to be updated. This group-wide GPO was given the precedence of 2, which I picked because it allowed security group users to attach themselves to the group PSO if they do not have a user-specific PSO, but at the same time allowed certain users to have their own user PSO by setting a precedence of 1 and overriding the group PSO. This was the case for my user level PSO for my