Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD

Here is a little that IT Planners/Designers and especially administrator will be interested in.  It’s something that, in all my years managing\designing\deploying AD environments, I've been asked over and over.  Sometimes for the wrong reason…. 

To follow along:

 

What do fine-grained password policies do?image

You can use fine-grained password policies to specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.

For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

Fine-grained password policies apply only to global security groups and user objects. (inetOrgPerson objects if they are used instead of user objects). Fine-grained password policy cannot be applied to an organizational unit (OU) directly.

Other considerations are:

  • Only members of the Domain Admins group can set fine-grained password policies. but this can be delegated.
  • The domain functional level must be Windows Server 2008.
  • Managing the policies is done through Active Directory Administrative Center and/or Windows PowerShell.

 

1- To enable Fine-Grained Password Policies (FGPP), you need to open the Active Directory Administrative Center (ADAC), switch to the Tree View and navigate to the System, Password Settings Container.

image

 

2- Right-click the Password Settings Container object and select “New”, “Password Settings

image

3-  In the “Create Password Policy” UI, fill all the fields that are appropriate.

image

I suggest descriptive names and description of why you create a new policy, how the policy differ from the default Password policy. And what group it will apply to. Just so you know why you did that when you review it down the road. (It could even say “because my boss made me do it…”)

4- Click the add button in the “Directly Applies To” section and select the Global Group you want to target.

 

image

In our case the “High security Users” group and click OK.

image

And click OK, to close the “Create Password Policy” dialogue.

 

image

That’s it.  One Fine-Grained Password Policies (FGPP) done!

 

Cheers!

 

Signature

Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn