Share via

question on FGPP

Janus Bariñan 1,126 Reputation points
2020-12-07T06:20:16.91+00:00

Hi,

We have a default password policy in Default Domain Policy.
Default Domain Policy is applied to Authenticated Users (both users and computers).
Password policy is under Computer Configuration. Does it mean it applies to computers and users?

We want to create an FGPP. This is applied to specific users. So where ever the user logs in the FGPP would apply?

Can FGPP be targeted to specific machines the users login? Like if this user logs in to a machine with FGPP it would apply but if user logs in to a different machine the default domain policy would apply.

Is this something doable?

Thanks,

Windows for business Windows Client for IT Pros User experience Other

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-12-07T09:07:54.533+00:00

    Hello @Janus Bariñan ,

    Thank you for posting here.

    Here are the answers for your references.

    Q1:Password policy is under Computer Configuration. Does it mean it applies to computers and users?
    A1:Password policy under Computer Configuration in Default Domain Policy applies to computers since it is under Computer Configuration.

    Q2:We want to create an FGPP. This is applied to specific users. So where ever the user logs in the FGPP would apply?
    A2:Fine-grained password policies apply only to global security groups and user objects.
    If both FGPP and default password policy are applied, the FPGG will have high priority.

    Q3:Can FGPP be targeted to specific machines the users login? Like if this user logs in to a machine with FGPP it would apply but if user logs in to a different machine the default domain policy would apply.
    A3:Fine-grained password policies apply only to global security groups and user objects.
    If both FGPP and default password policy are applied, the FPGG will have high priority (the user will use FGPP).

    Q4:Is this something doable?
    A4:See A3.

    For more information about FGPP, please refer to the link below.
    Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
    https://learn.microsoft.com/zh-cn/archive/blogs/canitpro/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Janus Bariñan 1,126 Reputation points
    2020-12-08T03:14:10.08+00:00

    So how do I implement a GPO for specific computers that should have a different password policy than the default domain policy?

    0 comments
  3. Anonymous
    2020-12-08T05:22:12.523+00:00

    Hello @Janus Bariñan ,

    Thank you for your update.

    Q:So how do I implement a GPO for specific computers that should have a different password policy than the default domain policy?
    A:We can not implement that, because only the password policy in the default domain policy takes effect.

    Best Regards,
    Daisy Zhou

    0 comments
  4. Janus Bariñan 1,126 Reputation points
    2020-12-09T21:14:50.88+00:00

    Hmmm...perhaps I should just duplicate the DDP, rename it and apply it to computers/users and deny those computers/users in the DDP. What do you think?

    0 comments
  5. Anonymous
    2020-12-11T09:41:50.88+00:00

    Hello @Janus Bariñan ,

    Why do you want to duplicate the DDP, rename it and apply it to computers/users and deny those computers/users in the DDP?

    If both FGPP and default password policy are applied, the FPGG will have high priority, the user will use FGPP.

    Best Regards,
    Daisy Zhou

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.