How to set appropriate I8 values for PSO time attributes on a Windows Server 2008-based computer

Article translations Article translations
Article ID: 954414 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

This article describes how to set appropriate I8 values for Password Settings object (PSO) time attributes on a Windows Server 2008-based computer.

MORE INFORMATION

To store fine-grained password policies, Windows Server 2008 includes the following new object classes in the Active Directory Domain Services schema:
  • Password Settings Container
  • Password Settings
By default, Password Settings Container is created under the System container in the domain. Password Settings Container stores the PSOs for the domain. There are 10 attributes the PSO must have. Of these 10 attributes, the following 4 attributes are related to time:
  • msDS-MaximumPasswordAge
  • msDS-MinimumPasswordAge
  • msDS-LockoutObservationWindow
  • msDS-LockoutDuration
These time attributes are of the "I8" data type. The time attributes store time in intervals of -100 nanoseconds. Windows Server 2003 default domain policy uses the same time unit for its corresponding time-related attributes.

To obtain appropriate I8 values for the time attributes, convert time values in minutes, hours, or days to time values in intervals of 100 nanoseconds. Then, use a negative sign before the resultant values.

You can use the following conversion guide table to obtain the corresponding I8 values.

Collapse this tableExpand this table
Time unitMultiplication factor
m minutes-60*(10^7) = - 600000000
h hours-60*60* (10^7) = -36000000000
d days-24*60*60*(10^7) = -864000000000


The following are examples of how to obtain appropriate I8 values for the time attributes:
  • To obtain the msDS-MaximumPasswordAge time attribute I8 value for 2 days, multiply 2 by -864000000000. For example, use the following equation:
    2*(-864000000000) = -1728000000000
  • To obtain the msDS-MinimumPasswordAge time attribute I8 value for 1 day, multiply 1 by -864000000000. For example, use the following equation:
    1*(-864000000000) = -864000000000
  • To obtain the msDS-LockoutObservationWindow time attribute I8 value for 30 minutes, multiply 30 by -600000000. For example, use the following equation:
    30*(-600000000) = -18000000000
  • To obtain the msDS-LockoutDuration time attribute I8 value for 30 minutes, multiply 30 by -600000000. For example, use the following equation:
    30*(-600000000) = -18000000000
You can use Active Directory Service Interfaces (ADSI) Editor, the Ldp tool, or the Ldifde tool to set appropriate I8 values for the time attributes.

To set appropriate I8 values for the time attributes by using the Ldifde tool, follow these steps:
  1. Define the settings of a new PSO. For example, save the following code as a Pso.ldf file.
    dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
    changetype: add
    objectClass: msDS-PasswordSettings
    msDS-MaximumPasswordAge:-1728000000000
    msDS-MinimumPasswordAge:-864000000000
    msDS-MinimumPasswordLength:8
    msDS-PasswordHistoryLength:24
    msDS-PasswordComplexityEnabled:TRUE
    msDS-PasswordReversibleEncryptionEnabled:FALSE
    msDS-LockoutObservationWindow:-18000000000
    msDS-LockoutDuration:-18000000000
    msDS-LockoutThreshold:0
    msDS-PasswordSettingsPrecedence:20
    msDS-PSOAppliesTo:CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
    Note Use appropriate I8 values for the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration).
  2. Click Start, click Run, type cmd, and then press ENTER.
  3. At the command prompt, type the following command, and then press ENTER:
    ldifde –i –f cust-pso.ldf
  4. At the command prompt, type exit, and then press ENTER to close the Command Prompt window.
For more information about how to use ADSI Editor to set appropriate I8 values for the time attributes, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver2008/en/library/67dc7808-5fb4-42f8-8a48-7452f59672411033.mspx?mfr=true

Properties

Article ID: 954414 - Last Review: July 7, 2008 - Revision: 1.0
APPLIES TO
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Server 2008 for Itanium-Based Systems
Keywords: 
kbinfo kbexpertiseinter kbhowto KB954414

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com