1. On the Domain Controller : Launch Group Policy Management -> Control PanelSystem and SecurityAdministrative ToolsGroup Policy Management
2. Edit the default group policy or edit the GPO of your choice.
3. Edit “Domain member: Maximum machine account password age” = 999   Located -> Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
4. Edit “Domain member: Disable machine account password changes” = Enabled   Located -> Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
5. Edit “Domain controller: Refuse machine account password changes” = Enabled   Located -> Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
6. Lastly run “gpupdate /force” on all servers that need this change.

Resource links:

http://technet.microsoft.com/en-us/library/cc781050(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc781050(WS.10).aspx

Enable Password Question and Password Reset:

When these attributes are set to true in the web config file as seen below, the user is required to provide an answer to a Password Question when the password is first created.  When the user resets their password, they will also be required to provider the answer they supplied to the Password Question when the password was first created. 

<membership defaultProvider=”ADAMProvider”>
  <providers>
    <add
      connectionStringName=”ADCnString”
      connectionUsername=”CN=ADAdmin,OU=Users,O=ADAuth”
      connectionPassword=Pass@word1
      connectionProtection=”None”
      requiresQuestionAndAnswer=”true”
      enablePasswordReset=”true” …

Mapping Password Question and Answer Attributes:

Both the Password Question and the Answer will be saved in the SQL Server, Active Directory, or the Active Directory Application Mode (ADAM) depending upon the provider you are using. However, if you are using the Active Directory Provider you will be required to modify the schema of either the Active Directory or ADAM to store the Password Question and Password Answer.  Then in the web config file you will need map the Password Question and Answer’s attributes to the modified schema as shown below:

<membership defaultProvider=”ADAMProvider”>
   <providers>
      <add
         connectionStringName=”ADCnString”
         connectionUsername=”CN=ADAdmin,OU=Users,O=ADAuth”
         connectionPassword=Pass@word1
         connectionProtection=”None”
         requiresQuestionAndAnswer=”true”
         enablePasswordReset=”true”
         attributeMapPasswordQuestion=”PwdQuestion”
         attributeMapPasswordAnswer=”PwdAnswer” …
 

Example Schema Modification:

Creating the PwdQuestion and PwdAnswer attribute as defined above is not difficult in the ADAM ADSI Edit tool under the Schema configuration, but initially it takes a while to figure out what values required by the attribute schema wizard.  Below is an example of the values that you can use in your Active Directory or ADAM directory.

    cn:  PwdQuestion
    OMSyntax: 64 (for Unicode string)
    lDAPDisplayName: PwdQuestion
    isSingleValued: TRUE
    AttributeSyntax: 2.5.5.12 (Active Directory syntax type of Unicode)
    AttributeID: 1.2.840.113556.1.6.1.1.6221 (Unique Object Identifiers (OIDs))

    cn:  PwdAnswer
    OMSyntax: 64 (for Unicode string)
    lDAPDisplayName: PwdAnswer
    isSingleValued: TRUE
    AttributeSyntax: 2.5.5.12
    AttributeID: 1.2.840.113556.1.6.1.1.6222

Schema modifications:
Creating the Failed Password Count, Failed Password Answer Time and Failed Password Locked Out Time attributes–as defined below–is not difficult in the ADAM ADSI Edit tool under the Schema configuration, but initially it takes a while to figure out what values are required by the attribute schema wizard. Below is an example of the values that you can use in your Active Directory or ADAM directory.

cn: FailedPwdCount
OMSyntax: 2 (for type integer)
lDAPDisplayName: FailedPwdCount
isSingleValued: TRUE
AttributeSyntax: 2.5.5.9 (Active Directory syntax type of Unicode)
AttributeID: 1.2.840.113556.1.6.1.1.6223 (Unique Object Identifiers (OIDs))

cn: FailedPwdAnswerTime
OMSyntax: 65 (for Large integer/Interval)
lDAPDisplayName: FailedPwdAnswerTime
isSingleValued: TRUE
AttributeSyntax: 2.5.5.16
AttributeID: 1.2.840.113556.1.6.1.1.6224

cn: FailedPwdLockOutTime
OMSyntax: 65 (for Large integer/Interval)
lDAPDisplayName: FailedPwdLockOutTime
isSingleValued: TRUE
AttributeSyntax: 2.5.5.16
AttributeID: 1.2.840.113556.1.6.1.1.6225

Modify Web Config File:
When using the Active Directory Provider you will be required to modify the Web config to map the Failed Password Answer Count, Failed Password Answer Time and Failed Password Answer Lockout Time attributes to the appropriate User’s properties (as created above) in either your Active Directory or ADAM.

<membership defaultProvider=”ADAMProvider”>
   <providers>
      <add

connectionStringName=”ADCnString”
connectionUsername=”CN=ADAdmin,OU=Users,O=ADAuth”
connectionPassword=Pass@word1
connectionProtection=”None”
requiresQuestionAndAnswer=”true”
enablePasswordReset=”true”
attributeMapPasswordQuestion=”PwdQuestion”
attributeMapPasswordAnswer=”PwdAnswer”
attributeMapFailedPasswordAnswerCount=”FailedPwdCount” attributeMapFailedPasswordAnswerTime=”FailedPwdAnswerTime”
attributeMapFailedPasswordAnswerLockoutTime=”FailedPwdLockOutTime”

(Adding the attributes to the user clasee)

From the Schema Console, click the Class folder. Scroll down to the User class, right-click it, and select Properties. On the user Properties dialog box, click the Attributes tab, which Figure 7 shows. Click Add, then choose the Gender attribute. Click OK twice, and you’ve successfully added the Gender attribute to the User class.