In Active Directory version introduced in Windows Server 2000, you could create only one password policy for the entire domain. This policy was configured within the standard Default Domain Policy. If the administrator assigned a new GPO with other password settings to the OU, CSE (Client Side Extensions) would ignore these policies. Obviously, this approach was not very convenient, and administrators had to look for various tricks (child domains and forests, filters, etc.) that created other troubles.
In this article we’ll show the details of configuration and management of Fine-Grained Password Policies in Windows Server 2012 R2.
Fine-Grained Password Policies
In Windows Server 2008, the developers added a new way that is different from GPO to manage password settings – Fine-Grained Password Policies (FGPP). Fine-Grained Password Policies allow an administrator to create a number of special password management policies (Password Settings Policy — PSO) in a single domain that determine the requirements to passwords (length, complexity, history) and account lockout. PSOs can be assigned to specific users or groups instead of Active Directory containers (OUs). If a PSO is assigned to a user, the password settings of GPO Default Domain Policy are no longer applied to the user.
For example, using FGPP you can impose higher requirements to the length and complexity of passwords for the administrator accounts, service accounts or users having external access to the domain resources (using VPN or DirectAccess).
The main requirements to using multiple FGPP in the domain are the following:
- the functional level of Windows Server 2008 domain or higher
- password policies can be assigned to users or global security groups
- FGPP is applied entirely (you cannot describe some of the settings in the GPO, and some of them in FGPP)
The most important drawback of this feature in Windows Server 2008 is the lack of the convenient tools to manage password policies, which could only be configured from command-line utilities for AD, like ADSIEdit, ldp.exe, LDIFDE.exe.
Configuration of Fine-Grained Password Policies on Windows Server 2012 R2
In ADAC (Active Directory Administration Center) in Windows Server 2012, a new graphic interface appeared to manage Fine-Grained Password Policies. In this example, we’ll show how to assign a separate password policy to the domain group Domain Admins.
Start Active Directory Administrative Center (ADAC) on the domain controller with the administrator privileges, switch to the tree view and expand the System container. Find the Password Settings Container, right-click it and select New -> Password Settings.
In the window that appears specify the name of the password policy (in our example it is Password Policy for Domain Admin) and its settings. All fields are standard: minimal length and complexity of a password, the number of passwords stored in the history, lockout settings, etc. Pay attention to Precedence attribute. It determines the priority of the current password policy. If an object has several FGPP policies assigned to it, the policy with the lowest value in the Precedence field will be applied.
- If a user has two policies with the same Precedence value assigned, the policy with the lowest GUID value will be applied.
- If a user has several policies assigned with one of them enabled through AD security group and another one assigned to the user account directly, the policy assigned to the account will be applied.
After that this password policy will be applied to all members of Domain Admin group. Start Active Directory Users and Computers (ADUC) console (with the installed Advanced Features option) and open the properties of any user from Domain Admin group. Go to Attribute Editor tab and select Constructed option in the Filter field.
Find the msDS-ResultantPSO user attribute. This attribute shows the password policy enabled for a user (CN=Password Policy for Domain Admin,CN=Password Settings Container,CN=System,DC=woshub,DC=com).
You can also get the current PSO policy for a user with the help of dsget command:
dsget user "CN=Max,OU=Admins,DC=woshub,DC=com" –effectivepso
How to Configure Fine-Grained Password Policy Using PowerShell
Of course, in Windows Server 2012 R2 you can create and assign PSO policies to the users using PowerShell:
Create a policy:
New-ADFineGrainedPasswordPolicy -Name “Admin PSO Policy” -Precedence 10 -ComplexityEnabled $true -Description “Domain password policy for admins”-DisplayName “Admin PSO Policy” -LockoutDuration “0.20:00:00” -LockoutObservationWindow “0.00:30:00” -LockoutThreshold 6 -MaxPasswordAge “12.00:00:00” -MinPasswordAge “1.00:00:00” -MinPasswordLength 8 -PasswordHistoryCount 12 -ReversibleEncryptionEnabled $false
Assign the policy to a group of users:
Add-ADFineGrainedPasswordPolicySubject “Admin PSO Policy” -Subjects “Domain Admins”