Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Fine-Grained Password Policy in Active Directory

September 30, 2021 Active DirectoryPowerShellWindows Server 2016Windows Server 2019

Fine-Grained Password Policy in Active Directory

Fine-Grained Password Policies (FGPP) allow you to create multiple password policies for specific users or groups. Multiple password policies are available starting with the Windows Server 2008 version of Active Directory. In previous versions of AD, you could create only one password policy per domain (using the Default Domain Policy).

In this article, we’ll show how to create and configure multiple Password Setting Objects in an Active Directory domain.

Contents:
  • Fine-Grained Password Policies Concepts
  • How to Create Password Setting Policy (PSO) in Active Directory?
  • Configuring Fine-Grained Password Policies (PSOs) Using PowerShell

Fine-Grained Password Policies Concepts

Fine-Grained Password Policies allow an administrator to create multiple custom Password Setting Objects (PSO) in an AD domain. In PSOs, you can set the password requirements (length, complexity, history) and account lockout options. PSO policies can be assigned to specific users or groups, but not to Active Directory containers (OUs). If a PSO is assigned to a user, then the password policy settings from the Default Domain Policy GPO are no longer applied to the user.

For example, using FGPP policies you can increase the requirements to the length and complexity of passwords for the administrator accounts, service accounts, or users having external access to the domain resources (via VPN or DirectAccess).

Basic requirements for using multiple FGPP password policies in a domain:

  • Domain functional level of Windows Server 2008 domain or newer;
  • Password policies can be assigned to users or Global (!) security groups;
  •  FGPP is applied entirely (you cannot set some of the password settings in the GPO, and some of them in FGPP)

How to Create Password Setting Policy (PSO) in Active Directory?

On Windows Server 2012 and newer, you can create and edit Fine-Grained Password Policies from the graphical interface of the Active Directory Administration Center (ADAC) console.

This version of AD also includes an Active Directory Recycle Bin, which allows you to restore deleted AD objects, and Managed Service Accounts (gMSA).

In this example, we’ll show how to create and assign a separate password policy for the Domain Admins group.

Start the Active Directory Administrative Center (dsac.msc), switch to the tree view and expand the System container. Find the Password Settings Container, right-click it, and select New -> Password Settings.

Active Directory Administrative Center - Password Settings Container

Specify the name of the password policy (in our example it is Password Policy for Domain Admins) and configure its settings (minimal length and complexity of a password, the number of passwords stored in the history, lockout settings, how often to change password, etc.).

Each of the PSO parameters (msDS-PasswordSettings class) is described by a separate AD attribute:

  • msDS-LockoutDuration
  • msDS-LockoutObservationWindow
  • msDS-LockoutThreshold
  • msDS-MaximumPasswordAge
  • msDS-MinimumPasswordAge
  • msDS-MinimumPasswordLength
  • msDS-PasswordComplexityEnabled
  • msDS-PasswordHistoryLength
  • msDS-PasswordReversibleEncryptionEnabled
  • msDS-PasswordSettingsPrecedence

Pay attention to the Precedence attribute. This attribute determines the priority of the current password policy. If an object has several FGPP policies assigned to it, the policy with the lowest value in the Precedence field will be applied.

Note.

  • If a user has two policies with the same Precedence value assigned, the policy with the lower GUID will be applied.
  • If a user has several policies assigned, and one of them enabled through the AD security group, and another one assigned to the user account directly, then the policy assigned to the account will be applied.

Then add groups or users in the Direct Applies To section to apply the policy (in our case, it is Domain Admins). We recommend that you apply the PSO policy to groups rather than individual users. Save the policy.

Fine Grained Password Policy for domain admins

After that, this password policy will be applied to all members of the Domain Admins group.

Start the Active Directory Users and Computers (dsa.msc) console (with the Advanced Features option enabled) and open the properties of any user from the Domain Admins group. Go to the Attribute Editor tab and select Constructed option in the Filter field.

Find the msDS-ResultantPSO user attribute. This attribute shows the password policy enabled for a user (CN=Password Policy for Domain Admin,CN=Password Settings Container,CN=System,DC=woshub,DC=com).

msDS-ResultantPSO

You can also get the current PSO policy for a user using the dsget tool:

dsget user "CN=Max,OU=Admins,DC=woshub,DC=com" –effectivepso

dsget-user –effectivepso

Configuring Fine-Grained Password Policies (PSOs) Using PowerShell

You can manage PSO password policies using PowerShell (the Active Directory PowerShell module must be installed on your computer).

The New-ADFineGrainedPasswordPolicy cmdlet is used to create a new PSO:

New-ADFineGrainedPasswordPolicy -Name “Admin PSO Policy” -Precedence 10 -ComplexityEnabled $true -Description “Domain password policy for admins”-DisplayName “Admin PSO Policy” -LockoutDuration “0.20:00:00” -LockoutObservationWindow “0.00:30:00” -LockoutThreshold 6 -MaxPasswordAge “12.00:00:00” -MinPasswordAge “1.00:00:00” -MinPasswordLength 8 -PasswordHistoryCount 12 -ReversibleEncryptionEnabled $false

Now you can assign a password policy to a user group:

Add-ADFineGrainedPasswordPolicySubject “Admin PSO Policy” -Subjects “Domain Admins”

Add-ADFineGrainedPasswordPolicySubject powershell

To change the PSO policy settings:

Set-ADFineGrainedPasswordPolicy "Admin PSO Policy" -PasswordHistoryCount:"12"

List all FGPP policies in a domain:

Get-ADFineGrainedPasswordPolicy -Filter *

Get-ADFineGrainedPasswordPolicy - list custom password policies in active directory with powershell

Use the Get-ADUserResultantPasswordPolicy command to get the resulting password policy that applies to a specific user.

Get-ADUserResultantPasswordPolicy -Identity jsmith

Get-ADUserResultantPasswordPolicy - show resulting password policy for a user account

The name of the PSO that applies to the user is specified in the Name field.

You can display the list of PSO policies assigned to an Active Directory group using the Get-ADGroup cmdlet:

Get-ADGroup "Domain Admins" -properties * | Select-Object msDS-PSOApplied

To show the default password policy settings from the Default Domain Policy GPO, run the command:

Get-ADDefaultDomainPasswordPolicy

Despite using Fine-Grained Password policies, users can still use weak passwords, like P@ssw0rd, Pa$$w0rd, etc. We recommend that you periodically audit your domain for weak user passwords.

0 comment
7
Facebook Twitter Google + Pinterest
previous post
Enabling Modern or Basic Authentication for Microsoft 365
next post
How to Check Office 2019, 2016 and 365 License Activation Status?

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Deploy PowerShell Active Directory Module without Installing RSAT
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top