I just played with Windows 2008 and find a nice thing in Windows 2008, If you want to to setup different kind of password settings you can twaek this now. So admins should not use company names / product names /years in their password. And watch out for admin service account they are easy to hack !! ( SQL )

Fine Grained Password Policys.

I made a brief description how to use this

I just played with Windows 2008 and find a nice thing in Windows 2008, I made some screen shots about the howto.

This is my W2k8 Server             In the Adsiedit.msc find the cn=Password Settings Container

The container is not there in pre beta 3 products I test this in the Microsoft VHD the key was not there.

So do make a new Object

• Password Settings Object (PSO) (msDS-PasswordSettings)
• Give this a Common name
• msDS-PasswordSettingsPrecedence

The msDS-PasswordSettingsPrecedence - integer: an integer value that is used to resolve conflicts if multiple Password Settings Object are applied to a user or group object.  A lower value for the precedence attribute indicates that the Password Settings Object has a higher rank/priority than other Password Settings Object. The default has a value of 1000 I think.

• (msDS-PasswordReversibleEncryptionEnabled - boolean) Store passwords using reversible encryption ( True of False )
• (msDS-PasswordHistoryLength - integer) Enforce password history ( Number )
• (msDS-PasswordComplexityEnabled - boolean) Passwords must meet complexity requirements  ( True of False )

• (msDS-MinimumPasswordLength - integer) Minimum password length  ( Number )
• (msDS-MinimumPasswordAge - integer8) Minimum password age ( Number )
• (msDS-MaximumPasswordAge - integer8) Maximum password age ( Use Calculator ) 42:00:00:00 value

  NOTE: Integer8 attributes are 64-bit numbers (8 bytes) which usually represent time in 100-nanosecond intervals.  If the Integer8 attribute is a date, the value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601.

• (msDS-LockoutThreshold - integer) Account lockout threshold ( Number )
• (msDS-LockoutObservationWindow - integer8) Reset account lockout after ( Use Calculator ) 42:00:00:00 value
• (msDS-LockoutDuration - integer8) Account lockout duration ( Use Calculator ) 42:00:00:00 value

• Done
• Go to the AD and you can see your creation

By default, only members of the Domain Admins group can set fine-grained password policies by creating PSOs.
Only members of this group have the Create Child and Delete Child permissions on the Password Settings Container object.  In addition, only members of the Domain Admins group have Write Property permissions on the PSO by default. Therefore, only members of the Domain Admins group can apply a PSO to a group or user. 
However, you can also delegate the ability to set these policies to other users. 

when the domain functional level is set to Windows Server 2008, password policies can be assigned on a per user and/or per group (global security group) basis.  A fine-grained password policy can not be applied to an organizational unit (OU) directly.  To apply fine-grained password policy to users of an OU, you can use a shadow group.
A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed.

So Adsiedit is fun just like the display specifiers but some great people made Tools like Christoffer Andersson

After the install and setting up the DLL for the MMC you have a nice window ;-)

• InstallUtil.exe "C:\Program Files\FGPP\FGPP.dll"
• InstallUtil.exe "C:\Program Files\FGPP\PasswordPolicyCmdLet.dll"
• Start the MMC select the fine grainied password snapin

Properties on the Policy object

Have fun with it.

Fine Grain Password Policy Tool Beta 1 is ready!

http://www.anixis.com/products/ppe/

http://technet2.microsoft.com/windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true

If you want to make a fresh new management pack than tools are handy

tools to use the Eventcreator. get this from the MOM 2005 Resource kit.

But there are other commands that are often forgotten to use like the SC command.

in a command line you can create a windows service.  this service can be use full to test your fresh MP.

the new services don't have to be something from the original services but a fake services to create your MP

So how does it work, there are several Items on the net about it but here is a brief description.

Sc.exe uses the following syntax:
Syntax1 (use Syntax1 to run Sc.exe)

sc [Servername] Command Servicename [Optionname= Optionvalue...]

Syntax2 (use Syntax2 to display help information, except for the query command)

sc [Command]

DESCRIPTION:
        SC is a command line program used for communicating with the
        NT Service Controller and services.
USAGE:
        sc <server> [command] [service name] <option1> <option2>...

        The option <server> has the form "\\ServerName"
        Further help on commands can be obtained by typing: "sc [command]"
        Commands:
          query-----------Queries the status for a service, or
                          enumerates the status for types of services.
          queryex---------Queries the extended status for a service, or
                          enumerates the status for types of services.
          start-----------Starts a service.
          pause-----------Sends a PAUSE control request to a service.
          interrogate-----Sends an INTERROGATE control request to a service.
          continue--------Sends a CONTINUE control request to a service.
          stop------------Sends a STOP request to a service.
          config----------Changes the configuration of a service (persistant).
          description-----Changes the description of a service.
          failure---------Changes the actions taken by a service upon failure.
          qc--------------Queries the configuration information for a service.
          qdescription----Queries the description for a service.
          qfailure--------Queries the actions taken by a service upon failure.
          delete----------Deletes a service (from the registry).
          create----------Creates a service. (adds it to the registry).
          control---------Sends a control to a service.
          sdshow----------Displays a service's security descriptor.
          sdset-----------Sets a service's security descriptor.
          GetDisplayName--Gets the DisplayName for a service.
          GetKeyName------Gets the ServiceKeyName for a service.
          EnumDepend------Enumerates Service Dependencies.

        The following commands don't require a service name:
        sc <server> <command> <option>
          boot------------(ok | bad) Indicates whether the last boot should
                          be saved as the last-known-good boot configuration
          Lock------------Locks the Service Database
          QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
        sc start MyService

So in real it looks like this.

sc create "Service Name" displayName= "Service Display Name" binPath= "C:\WINDOWS\system32\clipsrv.exe" start= auto depend= "use this if you want to use a depend - put service name here"
sc description "Service Name" "This service handles agent tasks configured in Clipbook"
pause

If you use a batch file a pause is handy to see if the services is created. You should see this if the services is created.

[SC] CreateService SUCCESS

[SC] ChangeServiceConfig2 SUCCESS

And delete the service is easy.

Just do SC DELETE " Service Name "