Managing Active Directory Fine-Grained Password Policies in Server 2022

Posted on 20th June 2023

Overview

Password policies in an Active Directory (AD) domain are typically applied to all users in the domain. However, in some cases, you might want to apply different password policies to different sets of users in a domain. This can be accomplished by using fine-grained password policies (FGPPs).

FGPPs were first introduced in Windows Server 2008. They allow you to specify multiple password and account lockout policies in a domain, and then apply those policies to different sets of users through the use of group policy objects (GPOs).

FGPPs are stored in the Password Settings Container (PSC) in the domain. The PSC is a hidden object in the domain that can be viewed only by using ADSI Edit or LDP.exe.

When you create an FGPP, you must specify a precedence. The precedence is used to determine which policy is applied if a user is a member of more than one group that has an FGPP applied to it. The policy with the lowest precedence is applied.

Creating an FGPP

You can use the Active Directory Administrative Center (ADAC) or the Active Directory module for Windows PowerShell to create an FGPP.

To create an FGPP by using ADAC

  1. Open ADAC, and then click Domains.
  2. In the Domains pane, click the domain in which you want to create the FGPP.
  3. In the Domain pane, click Password Settings Container.
  4. In the Password Settings Container pane, click New.
  5. In the Create Password Settings dialog box, type a name and description for the FGPP.
  6. In the Precedence box, type a value for the precedence of the FGPP. The value must be a number between 0 and 2,147,483,647.
  7. In the Password Properties section, specify the password policy settings that you want to apply to users and groups that are affected by this FGPP.
  8. In the Account Lockout Properties section, specify the account lockout policy settings that you want to apply to users and groups that are affected by this FGPP.
  9. Click OK.

To create an FGPP by using Windows PowerShell

  1. Open Windows PowerShell, and then run the following command to connect to AD:
    Import-Module ActiveDirectory
  2. Run the following command to create the FGPP: 
    New-ADFineGrainedPasswordPolicy -Name "FGPP Name" -Precedence 1 -DisplayName "FGPP Display Name" -Description "FGPP Description" -ComplexityEnabled $true -LockoutThreshold 3 -LockoutDuration "00:30:00" -LockoutObservationWindow "00:30:00"

Applying an FGPP to a User or Group

After you create an FGPP, you must apply it to one or more users or groups in the domain. You can apply an FGPP to a user or group by using ADAC or the Active Directory module for Windows PowerShell.

To apply an FGPP to a user or group by using ADAC

  1. Open ADAC, and then click Domains.
  2. In the Domains pane, click the domain in which you want to apply the FGPP.
  3. In the Domain pane, click Password Settings Container.
  4. In the Password Settings Container pane, click the FGPP that you want to apply, and then click Edit.
  5. In the Edit Password Settings dialog box, click Add.
  6. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type the name of the user or group to which you want to apply the FGPP, and then click OK.
  7. Click OK.

To apply an FGPP to a user or group by using Windows PowerShell

  1. Open Windows PowerShell, and then run the following command to connect to AD:
    Import-Module ActiveDirectory
  2. Run the following command to apply the FGPP to a user: 
    Add-ADFineGrainedPasswordPolicySubject -Identity "FGPP Name" -Subject "User Name"
  3. Run the following command to apply the FGPP to a group: 
    Add-ADFineGrainedPasswordPolicySubject -Identity "FGPP Name" -Subject "Group Name"

Viewing the FGPPs Applied to a User or Group

You can use ADAC or the Active Directory module for Windows PowerShell to view the FGPPs that have been applied to a user or group.

To view the FGPPs applied to a user or group by using ADAC

  1. Open ADAC, and then click Domains.
  2. In the Domains pane, click the domain in which the user or group is located.
  3. In the Domain pane, click Password Settings Container.
  4. In the Password Settings Container pane, double-click the user or group.
  5. In the Properties dialog box, click the Attribute Editor tab.
  6. In the Attribute Editor tab, scroll down to the memberOf attribute, and then expand it.
  7. The memberOf attribute contains a list of the FGPPs to which the user or group is subject.

To view the FGPPs applied to a user or group by using Windows PowerShell

  1. Open Windows PowerShell, and then run the following command to connect to AD:
    Import-Module ActiveDirectory
  2. Run the following command to view the FGPPs applied to a user: 
    Get-ADUser -Identity "User Name" -Properties memberOf | Select-Object -Expand memberOf
  3. Run the following command to view the FGPPs applied to a group: 
    Get-ADGroup -Identity "Group Name" -Properties memberOf | Select-Object -Expand memberOf

Removing an FGPP from a User or Group

You can use ADAC or the Active Directory module for Windows PowerShell to remove an FGPP from a user or group.

To remove an FGPP from a user or group by using ADAC

  1. Open ADAC, and then click Domains.
  2. In the Domains pane, click the domain in which the user or group is located.
  3. In the Domain pane, click Password Settings Container.
  4. In the Password Settings Container pane, double-click the user or group.
  5. In the Properties dialog

Copyright © 2024 The Gadget Gazette