Fine-Grained Password Policies User Interface in Windows 2012 R2 and Newer


Ace again! Let’s talk about FGPP!

When Active Directory was first introduced in Windows Server 2000, you can only create one password policy for the domain. That was configured in the Default Domain Policy. If you attempted to create a GPO linked to an OU with password policy settings, the Active Directory CSEs (Client Side Extensions – the client side DLLs that determine, download and run GPOs assigned to the computer or user) will ignore them.

FGGP Expanded Requirements

Therefore if an IT infrastructure design required a different password for different locations or users, the only option was to either create a password filter or create a separate child domain or a new Tree in the forest. Of course this came with design challenges, additional hardware and administrative overhead. For a number of years, this was a limitation that IT administrators had no real solution or alternative.

To provide a solution, Fine-Grained Password Policies (FGPPPs), were introduced in Windows Server 2008, continued in Windows 2008 R2. They provided administrators to create a Password Settings Policy (PSO) for a set of user accounts or groups and cannot be linked to GPOs, and the only way to create and administer PSOs and FGGPs are using low-level utilities, such as ADSI Edit.

Windows Server 2012 introduced a new GUI to ease creation and administration of PSOs and FGPPs. In this section, we will learn about the new FGPP and PSO features, and how to create administer them.

  • Why would we need an FGGP?
  • Understanding Password Settings Objects (PSOs)
  • What’s new in Windows 2012 FGGP?
  • PSO Resultant Set of Policies (RSOP)
  • What’s required to implement FGGPs? PowerShell and FGGPs

Why would we need a FGGP?

You can use fine-grained password policies to specify specific password policies in a single domain by applying different restrictions settings for password and account lockout policies to different sets of users and groups in a domain.

For example, you can apply stricter settings to privileged accounts such as administrator accounts, or executive accounts, and apply less strict settings to the accounts of other users. You can also create special password policies for accounts that get their passwords synchronized with other data sources or applications.

Understanding Password Settings Objects (PSOs)

Password Settings Objects (PSOs) have identical password settings as the password policy in a GPO. These settings include password length, complexity, account lockout, password minimum and maximum age, password history settings, PSO link, and Precedence.

PSOs are not linked to an OU. PSOs are applied users or groups. To help keep track of PSOs to an OU, for example, administrators can create an Active Directory group in an OU that is identically named as the group name.

With Windows Server 2008 and Windows Server 2008 R2, ADSI Edit (Active Directory Services Editor), a low level editor, is required to create, modify and apply PSOs to users or groups. ADSI Edit is akin to a “registry editor” that allows you to modify data in the various partitions in the AD database. Using ADSI Edit requires additional knowledge and skill level by an administrator to understand the various Active Directory database partitions and how to access them.

What’s new in Windows Server 2012 FGGPs?

In Windows Server 2012, creating and managing fine-grained password policy can now be performed using a user interface, the ADAC (Active Directory Administration Center), vastly improving ease of administration.

Administrators can now visually see a specific user’s resultant set of policies (RSOP), view and sort all password policies within a given domain, and manage individual password policies.


PSO Resultant Set of Policies (RSOP)

If a user or group has multiple PSOs linked to them, possibly because they are part of multiple Active Directory groups that have different PSOs, only one PSO can be applied. Therefore, the RSOP must be evaluated to insure the correct PSO is applied.

To determine and calculate the RSOP, each PSO has an additional attribute called the msDS-PasswordSettingsPrecedence.

The msDS-PasswordSettingsPrecedence attribute has an integer value of 1 or greater. The lower the value, the higher precedence it has. In a scenario where an AD group has two PSOs linked, with one of them having a value of 2, and the a value of 4, then the PSO with a value of 2 wins, and is applied to the AD group.

RSOP msDS-PasswordSettingsPrecedence Logic:

• A PSO that is linked directly to the user object is the resultant PSO. (Multiple PSOs should not be directly linked to users.)

• If no PSO is linked directly to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.

• If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.

Additional reading on RSOP:

AD DS: Fine-Grained Password Policies

What’s required to implement FGGPs?

To point out, Fine-grained password policies can only be applied to global security groups and user objects (or inetOrgPerson objects, a specific attribute some third party applications may use, if they are used instead of user objects).

Requirements include:

  • Only members of the Domain Admins group can set fine-grained password policies, however, the tasks can be delegated to other users.
  • The domain functional level must be Windows Server 2008 or higher.
  • You must use the Windows Server 2012 version of ADAC (Active Directory Administrative Center) to administer fine-grained password policies through a graphical user interface.

Server Manager can be used to install the RSAT tools (Remote Server Administration Tools) on Windows Server 2012 computers to use the correct version of Active Directory Administrative Center to manage Recycle Bin through a user interface.

  • You can use RSAT on Windows® 8 computers to use the correct version of Active Directory Administrative Center to manage FGGPs.

PowerShell and FGGPs

PowerShell can also be used to create and manage FGGPs. For example, the command below will create the following settings:

  • • PSO Name: TestPswd
  • • Complexity: Enabled
  • • Lockout Duration: 30 Minutes
  • • Lockout Observation Windows: 30 Minutes
  • • Lockout Threshold: 0 Minutes
  • • MaxPasswordAge: 42 Days
  • • Minimum Password Age: 1 Day
  • • MinPasswordLength: 7 characters
  • • PasswordHistoryCount: 24 passwords remembered that you can’t use
  • • ProtectedFromAccidentalDeletion: Yes (prevents accidental deletion)
  • • Security Principal Applied to: AD Group called “group1”
New-ADFineGrainedPasswordPolicy TestPswd -ComplexityEnabled:$true -LockoutDuration:"00:30:00" -LockoutObservationWindow:"00:30:00" -LockoutThreshold:"0" -MaxPasswordAge:"42.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"7" -PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true
Add-ADFineGrainedPasswordPolicySubject TestPswd -Subjects group1
Additional Reading:

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide

Introduction to Active Directory Administrative Center Enhancements (Level 100)

Creating fine grained password policies through GUI Windows server 2012 “Server 8 beta”
Microsoft Technet, by Tamer Sherif Mahmoud, Team Blog of MCS



Stay tuned for more on Azure and Cloud Computing

Published 10/15/2016

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image0023[2][2][2] clip_image0043[2][2][2] clip_image0063[2][2][2] clip_image0083[2][2][2] clip_image0103[2][2][2] clip_image0123[2][2][2] clip_image0143[2][2][2] clip_image0163[2][2][2]

Complete List of Technical Blogs:

This posting is provided AS-IS with no warranties or guarantees and confers no rights.