Fine-Grained Password Policies in Windows Server 2012 R2


The fine-grained password policies feature was introduced in Windows Server 2008. It allowed organizations to define more than one password and account lockout policy in a single domain, and apply those policies to different sets of users. Prior to Windows Server 2012, you had to use PowerShell, ADSI Edit or the Ldifde command-line utility to create the Password Settings Objects that are used to define fine-grained password policies. But in Server 2012 and 2012R2, you can use the GUI-based Active Directory Administrative Center to create PSOs and view resultant password settings for particular users in your environment.

 

Limitations of fine-grained password policies

  • Can only be applied to users and global security groups, which means they can not be applied to OUs.
  • Domain functional level must be Windows Server 2008
  • By default only Domain Admins can set fine-grained password policies on users and groups, but this ability can be delegated to other users

 

1. Create and apply a PSO

 

Fine-grained password policies are defined by creating Password Settings Objects, and then applying those to users and groups. In Server 2012 and 2012 R2 you can use Active Directory Administrative Center and Windows PowerShell to create and apply PSOs.


It’s important to keep in mind that a user can only have one effective password and account lockout policy. So if more than one PSO is applied to a user, either directly or through group membership, the precedence value of that PSO will determine whether it will be the winning PSO or not. The PSO with the lowest precedence will have higher rank, so the PSO with the lowest precedence will be the effective PSO for a user. An exception to this rule is that PSOs directly applied to users, always prevail over PSOs applied to groups (which are again obviously applied to users through group membership).


If no PSOs are applied to a user, the Default Domain Policy will be applied to that user.

 

1.1 Create and apply a PSO using ADAC

 

1.1.1 Start Active Directory Administrative Center
1.1.2 Select Domain name → System → Password Settings Container
PSO2012R21

 

1.1.3 Right-click inside the Password Settings Container → New → Password Settings
PSO2012R22

 

1.1.4 Fill in the appropriate information on the Create Password Settings properties page
PSO2012R23


1.1.5
Click Add on the Directly Applies To section, and select the users/groups you want to apply the PSO to
PSO2012R24


1.1.6
Finally, click OK to create the PSO
PSO2012R25

PSO2012R26

 

1.2 Create and apply a PSO using PowerShell

 

1.2.1 Use the New-ADFineGrainedPasswordPolicy cmdlet to create the PSO. The following example creates a PSO named PSO2, with exactly the same settings as we defined in the PSO we created with ADAC. The parameters for the cmdlet are pretty much self-explanatory.

New-ADFineGrainedPasswordPolicy -Name “PSO2” -Precedence 5 -ComplexityEnabled $false -Description “PSO Number 2” -DisplayName “PSO2” -LockoutDuration “0.00:30:00” -LockoutObservationWindow “0.00:30:00” –LockoutThreshold 5 -MaxPasswordAge “42.00:00:00” -MinPasswordAge “1.00:00:00” -MinPasswordLength 7 –PasswordHistoryCount 24 -ReversibleEncryptionEnabled $false -protectedfromaccidentaldeletion $true

 

1.2.2 Use the Add-ADFineGrainedPasswordPolicySubject cmdlet to apply PSOs to users and groups. The following example will apply PSO2 to the Data and Managers groups

 

Add-ADFineGrainedPasswordPolicySubject PSO2 -Subjects Data,Managers

 

1.2.3 Feel free to verify that the settings and assignment of the PSO has been applied correctly, in Active Directory Administrative Center
PSO2012R27

 

2. View the Resultant PSO for a user

 

2.1 Viewing the resultant PSO for a user in ADAC

 

2.1.1 Locate the user in ADAC
2.1.2 Right-click user → View resultant password settings
PSO2012R28

2.1.3 PSO applied to the user will be displayed
PSO2012R29

 

2.2 Viweing the resultant PSO for a user in PowerShell

 

2.2.1 Use the Get-ADUserResultantPasswordPolicy cmdlet. The following example gets the resultant PSO for the same user (rjones)

Get-ADUserResultantPasswordPolicy rjones

 

PSO2012R210

This entry was posted in Active Directory, Microsoft, Powershell, Windows Server, Windows Server 2012, Windows Server 2012R2 and tagged , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback.

Leave a Reply

Your email address will not be published. Required fields are marked *

Your email address will never be published.

Captcha * Time limit is exhausted. Please reload the CAPTCHA.