Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
Here is a little that IT Planners/Designers and especially administrator will be interested in. It’s something that, in all my years managing\designing\deploying AD environments, I've been asked over and over. Sometimes for the wrong reason….
To follow along:
- Download the evaluation of Windows Servers 2012
- Use the info in this post to setup your own lab
What do fine-grained password policies do?
You can use fine-grained password policies to specify multiple password policies in a single domain and apply different restrictions for password and account lockout policies to different sets of users in a domain.
For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.
Fine-grained password policies apply only to global security groups and user objects. (inetOrgPerson objects if they are used instead of user objects). Fine-grained password policy cannot be applied to an organizational unit (OU) directly.
Other considerations are:
- Only members of the Domain Admins group can set fine-grained password policies. but this can be delegated.
- The domain functional level must be Windows Server 2008.
- Managing the policies is done through Active Directory Administrative Center and/or Windows PowerShell.
1- To enable Fine-Grained Password Policies (FGPP), you need to open the Active Directory Administrative Center (ADAC), switch to the Tree View and navigate to the System, Password Settings Container.
2- Right-click the Password Settings Container object and select “New”, “Password Settings”
3- In the “Create Password Policy” UI, fill all the fields that are appropriate.
I suggest descriptive names and description of why you create a new policy, how the policy differ from the default Password policy. And what group it will apply to. Just so you know why you did that when you review it down the road. (It could even say “because my boss made me do it…”)
4- Click the add button in the “Directly Applies To” section and select the Global Group you want to target.
In our case the “High security Users” group and click OK.
And click OK, to close the “Create Password Policy” dialogue.
That’s it. One Fine-Grained Password Policies (FGPP) done!
Cheers!
Pierre Roman, MCITP, ITIL | Technology Evangelist
Twitter | Facebook | LinkedIn
Comments
- Anonymous
August 09, 2016
cool! - Anonymous
December 19, 2016
Thank you. this post is really helpful pls keep posing such important topic which will help to all the IT professional. - Anonymous
May 30, 2017
thank you very much! - Anonymous
June 15, 2017
Great thing learned from you, thank you