Domain Management

Active Directory Administrative Center

To manage ad.aimsparking.com login to a Windows domain joined workstation as a Domain Administrator. Then launch the ADAC Tool (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center).

User Management

1). Add a User

In the left sidebar, navigate to ad > EDC > Users

Right click Users and choose New > User

Fill out the details of the User (first name, last name, display name, UPN logon, SAMAccountName, email) and add them to the Systems, Sales or Accounting groups.

2). Disable a User

In the left sidebar, navigate to ad > EDC > Users

Right click the user and choose Disable

3). Delete a User

NOTE: Only delete a user once we are certain that we do not need access to the user anymore. Its preferrable to disable the user and then delete the user after a period of time.

In the left sidebar, navigate to ad > EDC > Users

Right click the user and choose Delete

4). Reset a User’s Password

In the left sidebar, navigate to ad > EDC > Users

Right click the user and choose Reset password

Un-check the box User must change password at next log on

Click OK

Password Policy Management

1). Change Lockout Policy, Password Age, Password History

In the left sidebar, navigate to ad > System > Password Settings Container

Double-click policy: PCI Compliance (Systems) or EDC Employees (Sales and Accounting)

Edit the policy:

Click OK to save

2). Change Password Complexity

This is not configurable in ad.aimsparking.com. The defaults when complexity is enabled is defined as:

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

The Passwords must meet complexity requirements policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements:

Passwords may not contain the user’s samAccountName (Account Name) value or entire displayName (Full Name value). Neither of these checks is case-sensitive.

The samAccountName is checked in its entirety only to determine whether it’s part of the password. If the samAccountName is fewer than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren’t checked. For example, the name “Erin M. Hagens” is split into three tokens: “Erin”, “M”, and “Hagens”. Because the second token is only one character long, it’s ignored. So, this user couldn’t have a password that included either “erin” or “hagens” as a substring anywhere in the password.

The password contains characters from three of the following categories:

Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
Base 10 digits (0 through 9)
Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/) Currency symbols such as the Euro or British Pound aren’t counted as special characters for this policy setting.
Any Unicode character that’s categorized as an alphabetic character but isn’t uppercase or lowercase. This group includes Unicode characters from Asian languages.
Complexity requirements are enforced when passwords are changed or created.

3). RDP Idle Session Timeout

The idle session timeout can be changed using Group Policy Management.

To install:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265969(v=ws.11)#install-group-policy-management-console-gpmc

Launch the GPO tool gpmc.msc (ensure you are launching the correct tool Group Policy Management):

Locate the PCI Servers group and double-click on it

Scroll down to the item Windows Components/Remote Desktop Services/…/Session Time Limits, right click on it and choose Edit, the Group Policy Editor will display with this policy item loaded.

Locate the specific policy setting at Computer Configuration > Policies > Administrative Templates: Policy Definitions (ADMX files retrieded) > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits

Right-click Set time limit for active but idle Remote Desktop Services sessions, choose Edit and set the policy