Managing Active Directory Fine-Grained Password Policy Precedence in Windows Server 2022
Posted on 17th June 2023
Introduction
The Active Directory Fine-Grained Password Policy (ADFGPP) feature was first introduced in Windows Server 2008. This feature allows for the creation of multiple password policies within a single Active Directory domain. Prior to ADFGPP, a single password policy was applied to the entire domain. ADFGPP provides administrators with the ability to granularly control password policies, which can be beneficial in certain situations. For example, if an organization has users who work both on-premises and in the cloud, the administrators can use ADFGPP to apply a more relaxed password policy to the cloud-based users.
ADFGPP is implemented by creating Password Settings Objects (PSOs) within the Active Directory domain. PSOs can be applied to users and groups, and take precedence over the default domain password policy. In other words, if a user is a member of a group that has a PSO applied to it, the user will be subject to the PSO rather than the default domain password policy.
There are two types of PSOs:
- Global PSOs: These PSOs are applied to users and groups in the domain. By default, there are no global PSOs in a newly created domain. Global PSOs can be created and managed by any administrator in the domain.
- Domain PSOs: These PSOs are applied to users and groups in a specific domain. Domain PSOs can only be created and managed by Domain Admins.
PSOs can be applied to users and groups in two ways:
- By using the Active Directory Administrative Center (ADAC)
- By using the Set-ADFineGrainedPasswordPolicy cmdlet
Creating a PSO
PSOs can be created by using the ADAC or the Set-ADFineGrainedPasswordPolicy cmdlet.
To create a PSO by using the ADAC:
- Open the ADAC and navigate to the Password Settings container.
- In the Tasks pane, click New, and then click Password Settings.
- On the New Password Settings page, enter the PSO name, and then click Next.
- On the Precedence page, enter a value for the precedence. The precedence is used to determine which PSO takes precedence if a user is a member of multiple groups that have PSOs applied to them. The PSO with the lowest precedence value will take precedence.
- On the Password Policy page, configure the password policy settings as desired, and then click Next.
- On the Account Lockout Policy page, configure the account lockout policy settings as desired, and then click Next.
- On the Kerberos Policy page, configure the Kerberos policy settings as desired, and then click Next.
- On the Review page, review the settings, and then click Create.
To create a PSO by using the Set-ADFineGrainedPasswordPolicy cmdlet:
- Open a PowerShell prompt and type the following command:
New-ADFineGrainedPasswordPolicy -Name "PSO_Name" -Precedence "Precedence_Value" -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -LockoutThreshold "Lockout_Threshold" -LockoutObservationWindow "Lockout_Observation_Window" -LockoutDuration "Lockout_Duration"
- Press Enter.
Replace “PSO_Name” with the name of the PSO, “Precedence_Value” with the precedence value, “Lockout_Threshold” with the desired lockout threshold, “Lockout_Observation_Window” with the desired lockout observation window, and “Lockout_Duration” with the desired lockout duration.
Applying a PSO
PSOs can be applied to users and groups by using the ADAC or the Set-ADFineGrainedPasswordPolicy cmdlet.
To apply a PSO to a user by using the ADAC:
- Open the ADAC and navigate to the Users container.
- In the Tasks pane, click New, and then click User.
- On the New User page, enter the user’s credentials, and then click Next.
- On the Password Settings page, select the PSO that you want to apply, and then click Next.
- On the Review page, review the settings, and then click Create.
To apply a PSO to a group by using the ADAC:
- Open the ADAC and navigate to the Groups container.
- In the Tasks pane, click New, and then click Group.
- On the New Group page, enter the group’s credentials, and then click Next.
- On the Password Settings page, select the PSO that you want to apply, and then click Next.
- On the Review page, review the settings, and then click Create.
To apply a PSO to a user by using the Set-ADFineGrainedPasswordPolicy cmdlet:
- Open a PowerShell prompt and type the following command:
Set-ADFineGrainedPasswordPolicy -Identity "PSO_Name" -User "User_Name"
- Press Enter.
Replace “PSO_Name” with the name of the PSO and “User_Name” with the name of the user.
To apply a PSO to a group by using the Set-ADFineGrainedPasswordPolicy cmdlet:
- Open a PowerShell prompt and type the following command:
Set-ADFineGrainedPasswordPolicy -Identity "PSO_Name" -Group "Group_Name"
- Press Enter.
Replace “PSO_Name” with the name of the PSO and “Group_Name” with the name of the group.
Verifying PSO Application
You can use the Get-ADFineGrainedPasswordPolicy cmdlet to verify that a PSO has been applied to a user or group.
To verify that a PSO has been applied to a user:
- Open a PowerShell prompt and type the following command:
Get-ADFineGrainedPasswordPolicy -Identity "User_Name"
- Press Enter.
Replace “User_Name” with the name of the user. If the PSO has been applied, the cmdlet will return the PSO name. If the PSO has not been applied, the cmdlet will return an error message.
To verify that a PSO has been applied to a group:
- Open a PowerShell prompt and type the following command:
Get-ADFineGrainedPasswordPolicy -Identity "Group_Name"
- Press Enter.
Replace “Group_Name” with the name of the group. If the PSO has been applied, the cmdlet