Fine-Grained Password Policy
As you know, in Windows 2000 and 2003 Server, you could only have one password policy in a domain. If your company required different password policies for particular departments, you needed to set up separate domain(s) for them or search for 3rd party tools to fulfill these requirements. That was yours only one choice.
In Windows Server 2008 (Domain Functional Level) Microsoft introduced new feature called “Fine-Grained Password Policy“. This still does not allow to have more than one global domain-wide password policy defined in GPO but allows for defining additional password policies in your environment without creating additional domains. This objects are created in a domain and are stored on “domain partition“. The main difference between GPO password policy and FGPP is that you cannot assign it to Organizational Unit (OU). These kind of password policies may be only applied to:
In Windows Server 2008/2008R2 setting up this policies is not so convenient as you need to use ADSI Editor for that. It is also a little bit difficult to track which policy takes affect in case that more than one is applied to user or group. In Windows Server 2012 Microsoft created GUI for FGPP management and it is available over new Active Directory Administrative Center
In this article we will focus only on Windows Server 2012 and its new GUI feature within ADAC. However, if you are also interested how to create FGPP in Windows Server 2008/2008R2, please read below Microsoft article for that:
Important! Remember, that to be able to use Fine-Grained Password policies, your Domain Functional Level must be at least at Windows Server 2008 level
Let’s try to configure example Fine-Grained Password policy in Windows Server 2012. To be able to do that we need access to Windows Server 2012 or Windows 8 RSAT, where new Active Directory Administrative Center is available.
When you have Server Manager up and running, go to “Tools” and open ADAC console
In Active Directory Administrative Center console, select “Tree” view and expand your domain node.
Now, select “System” container and go to the middle window. Search there for “Password Settings Container”
Click right mouse button on it, and choose “New -> Password Settings” to create to password policy.
Note! When you see grayed fields for “New” and “Delete” that means your domain does not fulfill FGPP requirements. This is mostly caused by to low Domain Functional Level. you need to raise DFL into Windows Server 2008 and then you will have possibility to use password policies.
OK, but this should be checked before you start creating password policy 🙂
When you do that, you will see new window in which you can define all password settings like in GPO. Below you can find a screen from default view
On that screen in policy, you need to define below parameters:
- Policy name
- Policy precedence number
- Minimum password length
- Minimum password age
- Maximum password age
- Number of passwords remembered
- Number of failed logon attempts allowed
- Reset failed logon attempts count after (mins)
- Account will be locked out
- Password must meet complexity requirements
- Store password using reversible encryption
- Protect from accidental deletion
I will try to explain each of those parameters in few words to better understand what they do
This parameter defines policy name which will be identified by administrators. Set up policy name the way you can easily evaluate what is it for.
Policy precedence number
The number specified there is for user/group to which you assign the policy. In case that you assigned more than one password policy, you need to determine which one should take precedence. Lower value means that policy will be applied.
Minimum password length
Specify here, how many characters (at least) will be required to create password.
Minimum password age
Here, you can define when user is able to changes its password after the last change. This setting prevents user from password change before specified number of days will pass.
Maximum password age
After that time, user is obligated to change password.
Number of passwords remembered
This setting stores information about number of last used passwords which cannot be reused.
Number of failed logon attempts allowed
Value tells the domain how many wrong logons are accepted before an account is being locked.
Reset failed logon attempts count after (mins)
Option configuring amount of time, after bad logons counter is reset to allow user one more chance to log on into domain
Account will be locked out
Setting time for how long account will be locked out. When value is set up to 0 or “Account will be locked out until an administrator manually unlocks the account” is enabled then account is locked until some administrator will unlock it.
Password must meet complexity requirements
This, defines that password must contain 3 out o 4 characters group to be valid. These groups are:
- lower characters [a-z]
- upper characters [A-Z]
- special characters [!@#$%^&*()]
- digits 
Store password using reversible encryption
Setting responsible for storing password in plain text for some applications requiring access to user password. Should not be used until any of application really requires that
Protect from accidental deletion
Nothing directly connected to password settings. This setting is for password policy object which defines that it cannot be deleted from domain until you uncheck this box.
Now, we have a better understanding of these policy parameters and we can define some example Fine-Grained Password policy. Below you can find settings used for that policy:
- Policy name – it-domain-administrators
- Policy precedence number – 1
- Minimum password length – 8
- Minimum password age – 5
- Maximum password age – 90
- Number of passwords remembered – 10
- Number of failed logon attempts allowed – 3
- Reset failed logon attempts count after – 30
- Account will be locked out – 40
- Password must meet complexity requirements – yes
- Store password using reversible encryption – no
- Protect from accidental deletion – yes
After adding this policy into domain, you need to specify user or group to which you want to apply it. As an example policy name suggests that it is for Domain Administrators, i need to choose their group in displayed window
and you can see that it is directly applied to “Domain Admins” group in “Directly applies to” section
that’s all for Fine-Grained Password policies in this article. Each time you need to see FGPPs and their assigned users/groups, open ADAC and go to System -> Password Settings Container and review those settings.
Author: Krzysztof Pytko