Active Directory 域服务托管域上的密码和帐户锁定策略Password and account lockout policies on Active Directory Domain Services managed domains

若要管理 Azure Active Directory 域服务 (Azure AD DS) 中的用户安全,可以定义细化的密码策略来控制帐户锁定设置或最短密码长度和复杂性。To manage user security in Azure Active Directory Domain Services (Azure AD DS), you can define fine-grained password policies that control account lockout settings or minimum password length and complexity. 将创建一个默认的细化密码策略,并将其应用于 Azure AD DS 托管域中的所有用户。A default fine grained password policy is created and applied to all users in an Azure AD DS managed domain. 为了提供细化控制并满足特定的业务需求或合规性需求,可以创建更多的策略并将其应用于特定的用户组。To provide granular control and meet specific business or compliance needs, additional policies can be created and applied to specific groups of users.

本文说明了如何使用 Active Directory 管理中心在 Azure AD DS 中创建和配置细化的密码策略。This article shows you how to create and configure a fine-grained password policy in Azure AD DS using the Active Directory Administrative Center.

备注

密码策略仅适用于使用资源管理器部署模型创建的托管域。Password policies are only available for managed domains created using the Resource Manager deployment model. 对于使用经典部署模型创建的旧托管域,请从经典虚拟网络模型迁移到资源管理器For older managed domains created using Classic, migrate from the Classic virtual network model to Resource Manager.

准备阶段Before you begin

需有以下资源和特权才能完成本文:To complete this article, you need the following resources and privileges:

默认密码策略设置Default password policy settings

通过细化的密码策略 (FGPP),可以对域中的不同用户应用特定的密码和帐户锁定策略限制。Fine-grained password policies (FGPPs) let you apply specific restrictions for password and account lockout policies to different users in a domain. 例如,若要保护特权帐户,你可以应用比常规的非特权帐户更严格的帐户锁定设置。For example, to secure privileged accounts you can apply stricter account lockout settings than regular non-privileged accounts. 可以在托管域中创建多个 FGPP,并指定将其应用于用户时的优先级顺序。You can create multiple FGPPs within a managed domain and specify the order of priority to apply them to users.

若要详细了解密码策略以及如何使用 Active Directory 管理中心,请参阅以下文章:For more information about password policies and using the Active Directory Administration Center, see the following articles:

策略通过托管域中的组关联进行分发,并在用户下次登录时应用你所做的任何更改。Policies are distributed through group association in a managed domain, and any changes you make are applied at the next user sign-in. 更改策略不会解锁已锁定的用户帐户。Changing the policy doesn't unlock a user account that's already locked out.

根据应用密码策略的用户帐户的创建方式,密码策略的行为方式稍有不同。Password policies behave a little differently depending on how the user account they're applied to was created. 可以通过两种方式在 Azure AD DS 中创建用户帐户:There are two ways a user account can be created in Azure AD DS:

  • 可以从 Azure AD 将用户帐户同步进来。The user account can be synchronized in from Azure AD. 这包括直接在 Azure 中创建的纯云用户帐户,以及使用 Azure AD Connect 从本地 AD DS 环境同步的混合用户帐户。This includes cloud-only user accounts created directly in Azure, and hybrid user accounts synchronized from an on-premises AD DS environment using Azure AD Connect.
    • Azure AD DS 中的大部分用户帐户是通过同步过程从 Azure AD 创建的。The majority of user accounts in Azure AD DS are created through the synchronization process from Azure AD.
  • 对于 Azure AD 中不存在的用户帐户,可以在托管域中手动创建该帐户。The user account can be manually created in a managed domain, and doesn't exist in Azure AD.

无论创建方式如何,所有用户都会通过 Azure AD DS 中的默认密码策略应用以下帐户锁定策略:All users, regardless of how they're created, have the following account lockout policies applied by the default password policy in Azure AD DS:

  • 帐户锁定持续时间: 30Account lockout duration: 30
  • 允许的登录尝试失败次数: 5Number of failed logon attempts allowed: 5
  • 多长时间后重置登录尝试失败计数: 30 分钟Reset failed logon attempts count after: 30 minutes
  • 最长密码期限(生存期): 90 天Maximum password age (lifetime): 90 days

使用这些默认设置时,如果在 2 分钟内使用了 5 个无效密码,则会将用户帐户锁定 30 分钟。With these default settings, user accounts are locked out for 30 minutes if five invalid passwords are used within 2 minutes. 帐户将在 30 分钟后自动解锁。Accounts are automatically unlocked after 30 minutes.

帐户锁定仅发生在托管域中。Account lockouts only occur within the managed domain. 用户帐户仅在 Azure AD DS 中锁定,并且仅在对托管域进行登录尝试失败的情况下锁定。User accounts are only locked out in Azure AD DS, and only due to failed sign-in attempts against the managed domain. 已从 Azure AD 或本地同步的用户帐户不会在其源目录中锁定,只会在 Azure AD DS 中锁定。User accounts that were synchronized in from Azure AD or on-premises aren't locked out in their source directories, only in Azure AD DS.

如果 Azure AD 密码策略指定的最长密码期限超过 90 天,则该密码期限会应用于 Azure AD DS 中的默认策略。If you have an Azure AD password policy that specifies a maximum password age greater than 90 days, that password age is applied to the default policy in Azure AD DS. 你可以配置自定义密码策略,以在 Azure AD DS 中定义不同的最长密码期限。You can configure a custom password policy to define a different maximum password age in Azure AD DS. 如果你在 Azure AD DS 密码策略中配置的密码最长期限比在 Azure AD 或本地 AD DS 环境中配置的时间更短,则需要小心。Take care if you have a shorter maximum password age configured in an Azure AD DS password policy than in Azure AD or an on-premises AD DS environment. 在这种情况下,系统在 Azure AD 或本地 AD DS 环境中提示用户更改密码之前,该密码可能已在 Azure AD DS 中过期。In that scenario, a user's password may expire in Azure AD DS before they're prompted to change in Azure AD or an on-premises AD DS environment.

对于在托管域中手动创建的用户帐户,还会通过默认策略应用下述的其他密码设置。For user accounts created manually in a managed domain, the following additional password settings are also applied from the default policy. 这些设置不适用于从 Azure AD 同步进来的用户帐户,因为用户无法直接在 Azure AD DS 中更新其密码。These settings don't apply to user accounts synchronized in from Azure AD, as a user can't update their password directly in Azure AD DS.

  • 最短密码长度(字符数): 7Minimum password length (characters): 7
  • 密码必须符合复杂性要求Passwords must meet complexity requirements

你无法修改默认密码策略中的帐户锁定或密码设置,You can't modify the account lockout or password settings in the default password policy. 只能让“AAD DC 管理员”组的成员创建自定义密码策略,并将其配置为替代(优先于)默认的内置策略,如下一部分所示。Instead, members of the AAD DC Administrators group can create custom password policies and configure it to override (take precedence over) the default built-in policy, as shown in the next section.

创建自定义密码策略Create a custom password policy

在 Azure 中生成并运行应用程序时,需要配置自定义密码策略。As you build and run applications in Azure, you may want to configure a custom password policy. 例如,你可以创建一个策略来设置不同的帐户锁定策略设置。For example, you could create a policy to set different account lockout policy settings.

自定义密码策略应用于托管域中的组。Custom password policies are applied to groups in a managed domain. 此配置可有效地替代默认策略。This configuration effectively overrides the default policy.

若要创建自定义密码策略,请使用已加入域的 VM 中的 Active Directory 管理工具。To create a custom password policy, you use the Active Directory Administrative Tools from a domain-joined VM. 使用 Active Directory 管理中心,你可以在托管域中查看、编辑和创建资源,包括 OU。The Active Directory Administrative Center lets you view, edit, and create resources in a managed domain, including OUs.

备注

若要在托管域中创建自定义密码策略,必须登录到 AAD DC 管理员组成员的用户帐户。To create a custom password policy in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

  1. 在“开始”屏幕中选择“管理工具”。From the Start screen, select Administrative Tools. 其中显示了可用管理工具的列表,这些工具是在创建管理 VM 的教程中安装的。A list of available management tools is shown that were installed in the tutorial to create a management VM.

  2. 若要创建和管理 OU,请从管理工具列表中选择“Active Directory 管理中心”。To create and manage OUs, select Active Directory Administrative Center from the list of administrative tools.

  3. 在左窗格中选择你的托管域,例如 aaddscontoso.com。In the left pane, choose your managed domain, such as aaddscontoso.com.

  4. 打开“系统”容器,然后打开“密码设置”容器。Open the System container, then the Password Settings Container.

    此时会显示托管域的内置密码策略。A built-in password policy for the managed domain is shown. 你无法修改此内置策略,You can't modify this built-in policy. 只能创建一个自定义密码策略来替代默认策略。Instead, create a custom password policy to override the default policy.

    在 Active Directory 管理中心内创建密码策略

  5. 在右侧的“任务”面板中,选择“新建”>“密码设置”。 In the Tasks panel on the right, select New > Password Settings.

  6. 在“创建密码设置”对话框中,输入策略的名称,例如 MyCustomFGPP。In the Create Password Settings dialog, enter a name for the policy, such as MyCustomFGPP.

  7. 存在多个密码策略时,优先级最高的策略将应用于用户。When multiple password policies exist, the policy with the highest precedence, or priority, is applied to a user. 编号越低,优先级越高。The lower the number, the higher the priority. 默认密码策略的优先级为 200。The default password policy has a priority of 200.

    设置自定义密码策略的优先级(例如 1)来替代默认值。Set the precedence for your custom password policy to override the default, such as 1.

  8. 根据需要编辑其他密码策略设置。Edit other password policy settings as desired. 请记住以下要点:Remember the following key points:

    • 密码复杂性、期限或过期时间等设置仅适用于在托管域中手动创建的用户。Settings like password complexity, age, or expiration time only to users manually created in a managed domain.
    • 帐户锁定设置适用于所有用户,但仅在托管域中生效,而不会在 Azure AD 本身中生效。Account lockout settings apply to all users, but only take effect within the managed domain and not in Azure AD itself.

    创建自定义的细化密码策略

  9. 取消选中“防止意外删除”。Uncheck Protect from accidental deletion. 如果选中此选项,则不能保存 FGPP。If this option is selected, you can't save the FGPP.

  10. 在“直接应用到”部分中,选择“添加”按钮。 In the Directly Applies To section, select the Add button. 在“选择用户或组”对话框中,选择“位置”按钮。 In the Select Users or Groups dialog, select the Locations button.

    选择要对其应用密码策略的用户和组

  11. 密码策略只能应用于组。Password policies can only be applied to groups. 在“位置”对话框中展开域名(例如 aaddscontoso.com),然后选择一个 OU(例如“AADDC 用户”)。In the Locations dialog, expand the domain name, such as aaddscontoso.com, then select an OU, such as AADDC Users. 如果你有一个自定义 OU,其中包含要应用的用户组,请选择该 OU。If you have a custom OU that contains a group of users you wish to apply, select that OU.

    选择该组所属的 OU

  12. 键入要向其应用策略的组的名称,然后选择“检查名称”以验证该组是否存在。Type the name of the group you wish to apply the policy to, then select Check Names to validate that the group exists.

    搜索并选择要对其应用 FGPP 的组

  13. 在“直接应用到”部分中显示所选组名称后,即可选择“确定”以保存自定义密码策略。 With the name of the group you selected now displayed in Directly Applies To section, select OK to save your custom password policy.

后续步骤Next steps

若要详细了解密码策略以及如何使用 Active Directory 管理中心,请参阅以下文章:For more information about password policies and using the Active Directory Administration Center, see the following articles: