Share via


AD DS: Fine-Grained Password Policies

You can’t assign more than one password policy In Windows 2003 which is applied at domain label but in Windows 2008 (All Versions) you can assign more than one password policy. Which is called “Fine-Grained Password Policy” in ADDS.

Make a note : You can’t apply the Fine-Grained Password Policy on OU label, only you can assign that with user” and “Global Security group”. 

You can create the Fine-Grained Password Policy with ADSIEDIT.MSC.

One sample settings of a FGPP

Expanding base 'CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com'...
Getting 1 entries:
Dn: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com
cn: biztest;
distinguishedName: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com;
dSCorePropagationData: 0x0 = (  );
instanceType: 0x4 = ( WRITE );
msDS-LockoutDuration: 0:00:30:00;
msDS-LockoutObservationWindow: 0:00:30:00;
msDS-LockoutThreshold: 10;
msDS-MaximumPasswordAge: 14:00:00:00;
msDS-MinimumPasswordAge: 1:00:00:00;
msDS-MinimumPasswordLength: 12;
msDS-PasswordComplexityEnabled: TRUE;
msDS-PasswordHistoryLength: 14;
msDS-PasswordReversibleEncryptionEnabled: FALSE;
msDS-PasswordSettingsPrecedence: 1;
msDS-PSOAppliesTo: CN=nor,CN=Users,DC=gs,DC=com;
name: biztest;
objectCategory: CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=gs,DC=com;
objectClass (2): top; msDS-PasswordSettings;
objectGUID: a542fe42-f9d8-44a2-9f2b-905a3dc83f48;
uSNChanged: 32931;
uSNCreated: 32927;
whenChanged: 12/7/2012 6:35:56 PM India Standard Time;
whenCreated: 12/7/2012 6:30:30 PM India Standard Time;

How to Manage Active Directory Password Policies in Windows Server 2008/R2

http://redmondmag.com/Articles/2011/08/01/Managing-Active-Directory-Password-Policies.aspx?Page=1

http://blog.thesysadmins.co.uk/active-directory-fine-grained-passwords-with-adsi-edit.html 
http://showmehowtodoit.com/2012/step-by-step-fine-grained-password-policy-in-windows-2008/

 

Apply PSOs to Users and Global Security Groups

http://technet.microsoft.com/en-us/library/cc731589(WS.10).aspx

For more details, see the below links.

http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx 

You can find the PSO setting with the dsquery command

C:\>dsquery * "CN=FirstFGPP,CN=Password Settings Container,CN=System,DC=contoso,DC=com" -scope base -attr *

**
We can test if the policy has been applied, run the below command
**

C:\>dsget user <user DN> -effectivepso

 

Fun and Games Active Directory Password Policies-Ask Premier Field Engineering (PFE) Platforms

http://blogs.technet.com/b/askpfeplat/archive/2013/01/14/fun-and-games-active-directory-password-policies.aspx