Managing Active Directory Fine-Grained Password Policy Enforcement in Server 2022
Posted on 17th June 2023
Introduction
Active Directory Fine-Grained Password Policy Enforcement is a new feature in Server 2022 that allows you to create and enforce multiple password policies within a single Active Directory Domain. This can be useful if you have a large organization with different security requirements for different groups of users. For example, you could have a more stringent password policy for your administrative users than for your regular users.
Creating a Fine-Grained Password Policy
To create a new Fine-Grained Password Policy, open the Active Directory Users and Computers snap-in and navigate to the Policies container. Right-click on the Policies container and select “New -> Password Policy”.
On the “New Password Policy” dialog, enter a name and description for the policy. Then, select the “Define these policy settings” radio button and click “Next”.
On the “Password Policy Settings” page, you can configure the password policy settings that you want to enforce. Once you have configured the settings, click “Next”.
On the “User Selection” page, you can specify which users or groups will be subject to the new password policy. To do this, click the “Add” button and select the appropriate users or groups. Once you have added all of the users or groups that you want, click “Next”.
On the “Confirm Password Policy Settings” page, review the settings that you have configured and click “Finish” to create the new password policy.
Enforcing a Fine-Grained Password Policy
Once you have created a Fine-Grained Password Policy, you need to enforce it. To do this, open the Group Policy Management snap-in and edit the Default Domain Policy.
Navigate to the “Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy” setting. Right-click on the “Password Policy” setting and select “Properties”.
On the “Password Policy Properties” dialog, select the “Define these policy settings” radio button. Then, select the “Enforce password history” checkbox and enter the number of passwords that you want to remember in the “Maximum password age” field. Finally, click “OK”.
Now, the Fine-Grained Password Policy that you created will be enforced when users change their passwords.
Conclusion
Active Directory Fine-Grained Password Policy Enforcement is a new feature in Server 2022 that allows you to create and enforce multiple password policies within a single Active Directory Domain. This can be useful if you have a large organization with different security requirements for different groups of users.
In Server 2022, Active Directory (AD) supports two types of password policies:
Fine-grained password policies (FGPPs)
Password Settings Objects (PSOs)
FGPPs are designed to give you more granular control over password policies. You can apply FGPPs to specific users or groups, rather than applying the same password policy to an entire domain.
PSOs are similar to FGPPs, but they’re designed to work with the Microsoft Azure Active Directory Connect tool. This tool synchronizes passwords between on-premises AD and Azure AD.
You can use both FGPPs and PSOs in your environment, but you can’t apply both types of policies to the same user or group.
Here’s how you can manage AD FGPP enforcement in Server 2022:
Open the AD Administrative Center.
Click on the Forest node in the left pane.
Click the Password Policy tab.
Click the New button.
Enter a name for the policy and click Next.
On thenext page, select the type of object that you want to apply the policy to. You can apply the policy to a user, group, or OU.
Click Next.
On the next page, select the users or groups that you want to apply the policy to.
Click Next.
On the next page, select the password settings that you want to configure.
Click Finish.
The FGPP will now be applied to the selected users or groups.
You can also use PowerShell to manage FGPP enforcement. To do this, you first need to install the Active Directory Module for PowerShell.
Once the module is installed, you can use the following cmdlets to manage FGPPs:
Get-ADFineGrainedPasswordPolicy
Set-ADFineGrainedPasswordPolicy
New-ADFineGrainedPasswordPolicy
Remove-ADFineGrainedPasswordPolicy
Get-ADDefaultDomainPasswordPolicy
Set-ADDefaultDomainPasswordPolicy
For more information on managing FGPPs, see the Microsoft documentation.
The article should start with the following:
Managing Active Directory Fine-Grained Password Policy Enforcement in Server 2022
Overview
In Server 2022, Active Directory (AD) administrators can use fine-grained password policies (FGPPs) to enforce different password and account lockout policies for different sets of users within a single domain. This flexibility can be useful in large organizations where different groups of users have different security requirements. For example, an organization might want to enforce a more stringent password policy for its privileged users than for its regular users.
In Server 2012, FGPPs were implemented using a new object type called a Password Settings Object (PSO). Each PSO could be applied to one or more user or group objects in AD, and the PSO would override the Default Domain Policy password and account lockout settings for those users and groups.
In Server 2016, Microsoft made some changes to the way FGPPs work. Now, instead of using PSOs, administrators can use a new feature called Privileged Identity Management (PIM) to manage FGPPs. PIM is a role-based access control (RBAC) feature that lets you control which users have access to which privileged accounts and groups. When you enable PIM for an account or group, you can also specify a fine-grained password policy that will be applied to that account or group.
Configuring FGPPs in Server 2016
To configure FGPPs in Server 2016, you first need to enable the PIM feature. You can do this using the Server Manager console or the PowerShell cmdlets.
Enabling PIM using Server Manager
To enable PIM using Server Manager, follow these steps:
- Open the Server Manager console and click on the Tools menu.
- Click on Active Directory Administrative Center.
- In the left pane, expand the Privileged Identity Management node.
- In the right pane, click on the Configure PIM link.
- In the Configure Privileged Identity Management dialog box, click on the Enable PIM button.
- Click on the Close button.
Enabling PIM using PowerShell
To enable PIM using PowerShell, follow these steps:
- Open the PowerShell console and type the following cmdlet:
Enable-Pim
- Press the Enter key.
Creating a FGPP
Once you have enabled PIM, you can create a FGPP using the Active Directory Administrative Center console or the PowerShell cmdlets.
Creating a FGPP using the Active Directory Administrative Center
To create a FGPP using the Active Directory Administrative Center, follow these steps:
- Open the Active Directory Administrative Center console.
- In the left pane, expand the Privileged Identity Management node.
- In the right pane, click on the Password Settings Objects link.
- In the task pane, click on the New Password Settings Object link.
- In the New Password Settings Object dialog box, type a name and description for the PSO.
- Click on the Next button.
- On the Password Settings page, configure the password settings that you want to apply to the PSO. For more information about the password settings that you can configure, see Password Settings Objects.
- Click on the Finish button.
Creating a FGPP using PowerShell
To create a FGPP using PowerShell, follow these steps:
- Open the PowerShell console and type the following cmdlet:
New-AdmxFineGrainedPasswordPolicy -Name “FGPP1” -DisplayName “FGPP1” -Precedence 1 -LockoutObservationWindow 00:30:00 -LockoutThreshold 6 -LockoutDuration 00:30:00
- Press the Enter key.
This cmdlet will create a FGPP with the name “FGPP1” and the following settings:
- Precedence: 1
- Lockout Observation Window: 00:30:00
- Lockout Threshold: 6
- Lockout Duration: 00:30:00
Applying a FGPP to an Account or Group
Once you have created a FGPP, you can apply it to an account or group using the Active Directory Administrative Center console or the PowerShell cmdlets.
Applying a FGPP using the Active Directory Administrative Center
To apply a FGPP using the Active Directory Administrative Center, follow these steps:
- Open the Active Directory Administrative Center console.
- In the left pane, expand the Privileged Identity Management node.
- In the right pane, click on the Password Settings Objects link.
- In the task pane, click on the Apply Password Settings Object link.
- In the Apply Password Settings Object dialog box, select the PSO that you want to apply.
- Click on the Browse button.
- In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, select the users or groups that you want to apply the PSO to.
- Click on the OK button.
- Click on the Apply button.
- Click on the Close button.
Applying a FGPP using PowerShell
To apply a FGPP using PowerShell, follow these steps:
- Open the PowerShell console and type the following cmdlet:
Add-AdmxFineGrainedPasswordPolicy -Identity “FGPP1” -Principal “CN=User1,OU=Users,DC=contoso,DC=com”
- Press the Enter key.
This cmdlet will apply the FGPP with the name “FGPP1” to the user with the Common Name “User1”.
Removing a FGPP
If you no longer need a FGPP, you can remove it using the Active Directory Administrative Center console or the PowerShell cmdlets.
Removing a FGPP using the Active Directory Administrative Center
To remove a FGPP using the Active Directory Administrative Center, follow these steps:
- Open the Active Directory Administrative Center console.
- In the left pane, expand the Privileged Identity Management node.
- In the right pane, click on the Password Settings Objects link.
- In the task pane, click on the Delete Password Settings Object link.
- In the Delete Password Settings Object dialog box, select the PSO that you want to delete.
- Click on the Delete button.
- Click on the Close button.
Removing a FGPP using PowerShell
To remove a FGPP using PowerShell, follow these steps:
- Open the PowerShell console and type the following cmdlet:
Remove-AdmxFineGrainedPasswordPolicy -Identity “FG