Collections
Deploying Active Directory
Features
Fine-Grained Password Policy

Fine-Grained Password Policy

Fine-Grained Password Policies are an enhancement added with the release of Windows Server 2008 that allows technicians to create more granular and secure password policies across their organization.

Benefits

Utilizing Password Setting Objects (PSOs) created through a Fine-Grained Password Policy (FGPP), you gain two large benefits over the default GPO-based password policies.

  1. Can be applied against both computer and user objects, rather than just computer objects.
  2. Passwords can be up to 256 characters long rather than a restrictive 14 character limit.

Configuration

You can create a FGPP either through PowerShell or the Active Directory Administrative Center (ADAC).

  1. Open the Active Directory Administrative Center.
  2. Within the left hand column, select ad (local) if your FQDN is ad.twobyte.blog for example.
  3. Select the System folder, than select the Password Settings Container folder.
  4. Right-click within the white area and select New » Password Settings.
  5. Fill in your preferred password requirements and to which user groups the policy will apply.
The image below is only an example, I wouldn’t recommend these settings.

FGPP Example

For this example, we’ll create a policy with the following settings:

Field Value
Name Default Password Policy
Complexity Disabled
Minimum Password Length 20 (characters)
Minimum Password Age 1 (days)
Password History Count 10
Reversible Encryption Disabled

On a domain controller open PowerShell (as admin) and complete the following steps.

FGPP Creation

Create the Fine Grained Password Policy outlined above.

New-ADFineGrainedPasswordPolicy `
 -Name "DefaultPasswordPolicy" `
 -Precedence 500 `
 -Description "Default password policy for all domain users." `
 -DisplayName "Default Password Policy" `
 -ComplexityEnabled $false `
 -MinPasswordLength 20 `
 -PasswordHistoryCount 10 `
 -ReversibleEncryptionEnabled $false `
 -MinPasswordAge 1

Group Assignment

Next, assign the new policy to a security group which will have this policy enforced.

Add-ADFineGrainedPasswordPolicySubject `
-Identity "DefaultPasswordPolicy" `
-Subjects "UserSecurityGroupName"

Policy Verification

To view the resulting password policy use Get-ADFineGrainedPasswordPolicy.

Get-ADFineGrainedPasswordPolicy -Identity "DefaultPasswordPolicy"
Managed Services Account