Fined-Password Policy does not working properly

Federico Coppola 1,181 Reputation points
2021-01-12T10:48:32.403+00:00

Hi all,
I created and configured domain password policy using Fined-Password Policy.
I created a Security Group to apply this password policy to a few users of Active Directory.

My issue is that users that are NOT inside the Security Group ask minimum requirement about password policy.

55619-image.png

Here you can see settings:
55723-image.png
55761-image.png

The name of Security Group is "Password Policy".

How can I do it?
I would that user that are not member of this group are free to set "weak password"

Thanks in advanced
Best regards
Federico

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,533 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,185 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,913 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,730 questions
0 comments
Accepted answer
  1. Thameur-BOURBITA 32,586 Reputation points
    2021-01-12T22:59:56.19+00:00

    Hi,

    You can use this powershell command get-aduserresultantpasswordpolicy to check if there is a password policy already applied on this user:

    get-aduserresultantpasswordpolicy

    If you want enable weak password for this user, you can create another password policy with the following settings :

    • complexity disabled
    • Minimum password length => 0
    • PasswordHistoryCount => 0

    new-adfinegrainedpasswordpolicy

    ----------

    Please don't forget to mark helpful reply as answer

    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fan Fan 15,296 Reputation points Microsoft Vendor
    2021-01-13T00:56:01.023+00:00

    Hi,

    Fine-grained password policies apply only to global security groups and user objects.
    Will the FGPP work if you assign the policy to user objects directly?
    https://learn.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad

    Best Regards,

    0 comments
  2. Federico Coppola 1,181 Reputation points
    2021-01-13T21:06:41.577+00:00

    Hi,
    Thanks for your reply.

    My FGPP works properly with AD Users inside "PasswordPolicy" Security Group.

    I noted that now I can not create new user, that is not inside "PasswordPolicy" group with weak password. Is it normal?

    @Thameur-BOURBITA
    I have create new test user inside Active Directory and I had to set complex password and it is not member of "PasswordPolicy" group

    56391-image.png

    My goal is:

    1) Users inside "PasswordPolicy" group --> they must set strong password
    2) Users not member of "PasswordPolicy" group --> they can set weak password. These accounts are not used for users or important account.

    I hope to be clear
    Thanks

    0 comments
  3. Federico Coppola 1,181 Reputation points
    2021-01-13T21:16:10.213+00:00

    Hi,
    I created a new policy inside FGPP configuration menu.
    I applied this new policy to "Domain Users" group as @Thameur-BOURBITA said.

    56373-image.png

    In my case the main policy (strong password) has got priority value as 1, this second policy has got priority value as 2.

    I tested the new policy creating a new account and it works fine.

    56344-image.png

    Thanks so much for your help
    Federico

    0 comments
  4. Thameur-BOURBITA 32,586 Reputation points
    2021-01-13T22:28:35.01+00:00

    Hi,

    I noted that now I can not create new user, that is not inside "PasswordPolicy" group with weak password. Is it normal?

    Yes it's normal , because the password policy defined on default domain GPO will be applied by default on new user until it will be added on group set on one of your FGPP.
    Regarding new user , you can modify default domain GPO or create new FGPP as you did.

    Please don't forget to mark helpful reply as answer

    0 comments