Fine-Grained Password Policy

 

As you know, in Windows 2000 and 2003 Server, you could only have one password policy in a domain. If your company required different password policies for particular departments, you needed to set up separate domain(s) for them or search for 3rd party tools to fulfill these requirements. That was yours only one choice.

In Windows Server 2008 (Domain Functional Level) Microsoft introduced new feature called “Fine-Grained Password Policy“. This still does not allow to have more than one global domain-wide password policy defined in GPO but allows for defining additional password policies in your environment without creating additional domains. This objects are created in a domain and are stored on “domain partition“. The main difference between GPO password policy and FGPP is that you cannot assign it to Organizational Unit (OU). These kind of password policies may be only applied to:

  • user
  • group

In Windows Server 2008/2008R2 setting up this policies is not so convenient as you need to use ADSI Editor for that. It is also a little bit difficult to track which policy takes affect in case that more than one is applied to user or group. In Windows Server 2012 Microsoft created GUI for FGPP management and it is available over new Active Directory Administrative Center

In this article we will focus only on Windows Server 2012 and its new GUI feature within ADAC. However, if you are also interested how to create FGPP in Windows Server 2008/2008R2, please read below Microsoft article for that:

Important! Remember, that to be able to use Fine-Grained Password policies, your Domain Functional Level must be at least at Windows Server 2008 level

Let’s try to configure example Fine-Grained Password policy in Windows Server 2012. To be able to do that we need access to Windows Server 2012 or Windows 8 RSAT, where new Active Directory Administrative Center is available.

When you have Server Manager up and running, go to “Tools” and open ADAC console

ADAC console

In Active Directory Administrative Center console, select “Tree” view and expand your domain node.

Active Directory Administrative Center

Now, select “System” container and go to the middle window. Search there for “Password Settings Container

Password Settings container

Click right mouse button on it, and choose “New -> Password Settings” to create to password policy.

Note! When you see grayed fields for “New” and “Delete” that means your domain does not fulfill FGPP requirements. This is mostly caused by to low Domain Functional Level. you need to raise DFL into Windows Server 2008 and then you will have possibility to use password policies.

Too low Domain Functional Level

OK, but this should be checked before you start creating password policy 🙂

New Fine-Grained Password Policy

When you do that, you will see new window in which you can define all password settings like in GPO. Below you can find a screen from default view

Default view of password settings policy

On that screen in policy, you need to define below parameters:

  • Policy name
  • Policy precedence number
  • Minimum password length
  • Minimum password age
  • Maximum password age
  • Number of passwords remembered
  • Number of failed logon attempts allowed
  • Reset failed logon attempts count after (mins)
  • Account will be locked out
  • Password must meet complexity requirements
  • Store password using reversible encryption
  • Protect from accidental deletion

I will try to explain each of those parameters in few words to better understand what they do

Policy name

This parameter defines policy name which will be identified by administrators. Set up policy name the way you can easily evaluate what is it for.

Policy precedence number

The number specified there is for user/group to which you assign the policy. In case that you assigned more than one password policy, you need to determine which one should take precedence. Lower value means that policy will be applied.

Minimum password length

Specify here, how many characters (at least) will be required to create password.

Minimum password age

Here, you can define when user is able to changes its password after the last change. This setting prevents user from password change before specified number of days will pass.

Maximum password age

After that time, user is obligated to change password.

Number of passwords remembered

This setting stores information about number of last used passwords which cannot be reused.

Number of failed logon attempts allowed

Value tells the domain how many wrong logons are accepted before an account is being locked.

Reset failed logon attempts count after (mins)

Option configuring amount of time, after bad logons counter is reset to allow user one more chance to log on into domain

Account will be locked out

Setting time for how long account will be locked out. When value is set up to 0 or “Account will be locked out until an administrator manually unlocks the account” is enabled then account is locked until some administrator will unlock it.

Password must meet complexity requirements

This, defines that password must contain 3 out o 4 characters group to be valid. These groups are:

  • lower characters [a-z]
  • upper characters [A-Z]
  • special characters [!@#$%^&*()]
  • digits [0123456789]

Store password using reversible encryption

Setting responsible for storing password in plain text for some applications requiring access to user password. Should not be used until any of application really requires that

Protect from accidental deletion

Nothing directly connected to password settings. This setting is for password policy object which defines that it cannot be deleted from domain until you uncheck this box.

Now, we have a better understanding of these policy parameters and we can define some example Fine-Grained Password policy. Below you can find settings used for that policy:

  • Policy name – it-domain-administrators
  • Policy precedence number – 1
  • Minimum password length – 8
  • Minimum password age – 5
  • Maximum password age – 90
  • Number of passwords remembered – 10
  • Number of failed logon attempts allowed – 3
  • Reset failed logon attempts count after – 30
  • Account will be locked out – 40
  • Password must meet complexity requirements – yes
  • Store password using reversible encryption – no
  • Protect from accidental deletion – yes

Example Fine-Grained Password Policy

After adding this policy into domain, you need to specify user or group to which you want to apply it. As an example policy name suggests that it is for Domain Administrators, i need to choose their group in displayed window

Target group for FGPP

and you can see that it is directly applied to “Domain Admins” group in “Directly applies to” section

Confirmation for applying FGPP

that’s all for Fine-Grained Password policies in this article. Each time you need to see FGPPs and their assigned  users/groups, open ADAC and go to System -> Password Settings Container and review those settings.

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

4 responses to “Fine-Grained Password Policy”

  1. user345123 says :

    In the Password Settings Container (PSC) the “New” is grayed out but my Domain Functional Level (DLF) and Forest Functional Level (FFL) are already set to Windows Server 2008 R2. What else should I check? Why else would it be grayed out?

     
    • user345123 says :

      Never mind, I figured it out. It wasn’t available using ADAC or ADUC but I was able to add it using ADSI Edit

       
      • iSiek says :

        I’m glad you figured this out 🙂
        Yes, PSO is not available in ADAC on Windows Server 2008/2008R2. You are only able to use ADSI Edit, PowerShell or LDIFDE. From Windows Server 2012, you have this possibility

        Regards,
        Krzysztof

         

Leave a Reply

Your email address will not be published. Required fields are marked *