Managing Active Directory Fine-Grained Password Policy Precedence in Server 2022

Posted on 18th June 2023

Introduction

In Server 2022, there are new changes to the way Active Directory (AD) stores and enforces password policies. These changes include the ability to store multiple password policies in a single domain and to have those policies enforced by different servers in the domain.

The new password policy functionality in Server 2022 is called “fine-grained password policy” (FGPP). FGPP was first introduced in Server 2008, but it was significantly improved in Server 2012.

Storing Password Policies in Active Directory

In Server 2022, each password policy is stored as an object in AD. These objects are called “passwordSettings” objects. You can view the passwordSettings objects in AD by using the Get-ADObject cmdlet.

Get-ADObject -Filter ‘ObjectClass -eq “passwordSettings”‘

Each passwordSettings object has a number of attributes that can be used to configure the policy. The most important attributes are:

Precedence: This attribute is used to determine the order in which the policies are applied. The policy with the lowest precedence value is applied first, followed by the policy with the next lowest precedence value, and so on.
MS-MSS-PasswordComplexityEnabled: This attribute specifies whether the password must meet the complexity requirements defined in the MS-MSS standard.
MS-MSS-PasswordHistoryLength: This attribute specifies the number of passwords that must be different from the current password before the current password can be used again.
MS-MSS-PasswordReversibleEncryptionEnabled: This attribute specifies whether reversible encryption will be used for the password. Reversible encryption is not recommended because it can be used to recover the password if it is compromised.

You can use the Set-ADObject cmdlet to modify the attributes of a passwordSettings object. For example, to change the precedence of a password policy, you would use the following command:

Set-ADObject -Identity ‘CN=Policy1,CN=Password Settings Container,CN=System,DC=contoso,DC=com’ -Replace ‘Precedence=1’

Applying Password Policies to User Accounts

Password policies are not applied to user accounts by default. To apply a password policy to a user account, you must set the msDS-PasswordSettingsPrecedence attribute of the account to the precedence value of the policy. You can use the Set-ADUser cmdlet to modify the msDS-PasswordSettingsPrecedence attribute. For example, to apply the password policy with precedence 1 to the user account “CN=User1,CN=Users,DC=contoso,DC=com”, you would use the following command:

Set-ADUser -Identity ‘CN=User1,CN=Users,DC=contoso,DC=com’ -Replace ‘msDS-PasswordSettingsPrecedence=1’

You can also use the Get-ADUser cmdlet to view the value of the msDS-PasswordSettingsPrecedence attribute for a user account.

Enforcing Password Policies

In Server 2012, only the domain controller (DC) that was configured as the Primary Domain Controller (PDC) Emulator was able to enforce password policies. In Server 2022, any DC can enforce password policies.

When a user attempts to log on to a domain, the DC that authenticates the user will check to see if there is a password policy that applies to the user. If there is a policy that applies, the DC will enforce the policy.

You can use the Get-ADDomain cmdlet to view the list of DCs in a domain. To see which DC is configured as the PDC Emulator, use the following command:

Get-ADDomain -Identity contoso.com | Select-Object -ExpandProperty PDCEmulator

Conclusion

In Server 2022, the way that password policies are stored and enforced has changed. These changes give you more flexibility in how you can manage password policies in your environment.

Managing Active Directory Fine-Gained Password Policy Precedence in Server 2012 R2

Introduction

In Server 2012 R2, there are now two ways in which you can manage the precedence of Fine-Grained Password Policies (FGPP). You can either use the new Password Settings Object Precedence feature, or you can continue to use the same method as in Server 2008 R2, by editing the registry.

Password Settings Object Precedence

The Password Settings Object Precedence feature is a new addition in Server 2012 R2, and allows you to manage the precedence of FGPPs using the Active Directory Administrative Center (ADAC). To do this, open the ADAC, navigate to the Forest > Domains > [Domain Name] > Password Settings Container, and then click on the Precedence tab.

From here, you can add, remove, or reorder the FGPPs as needed. The FGPP with the lowest precedence will be applied first, and if there are multiple FGPPs with the same precedence, then the one that was created first will be applied.

Editing the Registry

If you prefer, you can continue to manage the precedence of FGPPs using the same method as in Server 2008 R2, by editing the registry. To do this, open the Registry Editor and navigate to the following key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters

From here, you will need to create a new DWORD value called “DSHeuristics”, and set it to “0x00000001”. Once you have done this, you will need to restart the Netlogon service for the changes to take effect.

Conclusion

In this article, we have looked at two ways in which you can manage the precedence of Fine-Grained Password Policies in Server 2012 R2. By using either the new Password Settings Object Precedence feature in the ADAC, or by editing the registry, you can control which FGPP is applied in your environment.

In Server 2022, Active Directory Domain Services (AD DS) provides the capability to implement multiple password policies within a single domain. These are known as fine-grained password policies (FGPPs). FGPPs can be used to enforce different password policies for different sets of users within a domain.

FGPPs are implemented as Password Settings Objects (PSOs) in the AD DS database. Each PSO is associated with one or more security groups. When a user attempts to change their password, the PSO that is associated with the highest priority security group that the user is a member of is applied.

The priority of security groups is determined by the order in which they are listed in the PSO. The PSO with the lowest priority number (1) is applied first, and the PSO with the highest priority number is applied last. If a user is a member of multiple security groups that are associated with PSOs, the PSO with the highest priority number takes precedence.

It is important to note that the priority of security groups is only used to determine which PSO is applied. It does not determine the order in which the password policies of the different PSOs are applied. The password policies of all PSOs are always applied in the order in which they are listed in the PSO.

In order to manage FGPP precedence in Server 2022, you can use the Set-AdDomain cmdlet. This cmdlet allows you to modify the priority of security groups that are associated with PSOs. You can use the Set-AdDomain cmdlet to move a security group up or down in the list of security groups associated with a PSO. You can also use the Set-AdDomain cmdlet to add and remove security groups from PSOs.

The following example shows how to use the Set-AdDomain cmdlet to modify the priority of security groups that are associated with PSOs. In this example, the priority of the security group “Account Operators” is changed from 3 to 1. This means that the “Account Operators” security group will now be processed before all other security groups when determining which PSO to apply.

PS C:> Set-AdDomain “CN=Domain,DC=contoso,DC=com” -GroupPriority “Account Operators”=1

The following example shows how to use the Set-AdDomain cmdlet to add a security group to a PSO. In this example, the “Domain Admins” security group is added to the PSO with priority 1. This means that the “Domain Admins” security group will now be processed before all other security groups when determining which PSO to apply.

PS C:> Set-AdDomain “CN=Domain,DC=contoso,DC=com” -AddGroupToPSO “Domain Admins”=1

The following example shows how to use the Set-AdDomain cmdlet to remove a security group from a PSO. In this example, the “Domain Admins” security group is removed from the PSO with priority 1. This means that the “Domain Admins” security group will no longer be processed when determining which PSO to apply.

PS C:> Set-AdDomain “CN=Domain,DC=contoso,DC=com” -RemoveGroupFromPSO “Domain Admins”

Previous Post - How to Implement Custom Post Order in WordPress Plugin

Next Post - How to Use the Gatekeeper Security Feature in Mac OS Mojave