Dec 9, 2013

Disable Password Policies in AD LDS Containing Proxy Objects

Active Directory Lightweight Directory Services (AD LDS) or formerly called ADAM, an Microsoft LDAP implementation, leverages the password policies of the local system or the domain if not told otherwise. If you don't want an application partition being affected by the password policies applied from the local system or the domain, you can deactivate this option by setting the "ADAMDisablePasswordPolicies" in the configuration partition from 0 to 1. You can read up on this here. However, the official Microsoft documentation is not specific about how the AD LDS handles proxy objects when changing the ADAMDisablePasswordPolicies attribute and I could not find any clear information regarding this issue on the web, so I decided to do this small write-up on this.

The Scenario

I recently encountered a situation where one application partition stores regular user objects as well as customly created proxy user objects. My AD LDS was set up in a joined-domain where the domain password policies were applied to the AD LDS for both the user objects and for the proxy objects. The proxy objects pointed to user objects in the Active Directory (domain controller). Requirements changed and I now had to disable the domain password policies in the AD LDS for the regular users while keeping them for the proxy users. The problem was that once you disable AD LDS' password policies, you can no longer make use of fine-grained password policies like complexity or password-history. These fine grained password policies were supposed to be kept for the proxy users while being disabled for the regular users. One approach would have been to move the regular users to a different application partition while keeping the proxy objects in the original AD LDS application partition. Due to certain restrictions I could not do this.

Some testing in the lab showed that setting ADAMDisablePasswordPolicies to 1 affects the regular user objects but leaves the proxy user objects untouched. This is the case because the proxy objects only contain an SID pointing to an object held within the AD. Since the actual object resided within the AD, it is unaffected by the ADAMDisablePasswordPolicies flag.

TL;DR: AD LDS does not apply ADAMDisablePasswordPolicies to proxy objects if working with domain policies.

No comments:

Post a Comment