Fine-Grained Password Policies in Windows Server 2008 R2

Before Windows Server 2008, organizations had to rely on third-party products to define different password and account lockout policies for different sets of users in a domain. In Server 2000 and 2003, there could be only one password and account lockout policy in a domain, and it was specified in the Default Domain Policy, unless third-party products were utilized. In Windows Server 2008 and newer, organizations can define more than one password and account lockout policy in a single domain, and apply those policies to different sets of users, by using the fine-grained password policies feature.

Limitations of fine-grained password policies

  • Can only be applied to users and global security groups, which means they can not be applied to OUs.
  • Domain functional level must be Windows Server 2008
  • By default only Domain Admins can set fine-grained password policies on users and groups, but this ability can be delegated to other users

1. Create a PSO

Fine-grained password policies are defined by creating Password Settings Objects, and then applying those to users and groups. There are several methods to create PSOs. Here we will look at two of them.

Its important to keep in mind that a user can only have one effective password and account lockout policy. So if more than one PSO is applied to a user, either directly or through group membership, the precedence value of that PSO will determine whether it will be the winning PSO or not. The PSO with the lowest precedence will have higher rank, so the PSO with the lowest precedence will be the effective PSO for a user. An exception to this rule is that PSOs directly applied to users, always prevail over PSOs applied to groups (which are again obviously applied to users through group membership).

If no PSOs are applied to a user, the Default Domain Policy will be applied to that user.

1.1 Create a PSO using ADSI Edit

1.1.1 Click Start → Administrative Tools→ ADSI Edit
1.1.2 In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.
pso1

1.1.3 Since the Default naming context will connect you to the domain naming context of your domain, just click ok
pso2

1.1.4 Double-click Default naming context, then double click DC=contoso,DC=com (the name of your domain)
pso4

1.1.5 Double-click CN=System
pso5

1.1.6 Right-click CN=Password Settings Container, choose new – Object
pso6

1.1.7 Click Next
pso7

1.1.8 Give the PSO a name, then click Next. On each setting, the Description of the setting will pretty much explain what the setting is
pso8

1.1.9 Give the PSO a precedence, this value must be greater than 0
pso9

1.1.10 This setting must be either FALSE or TRUE (usually its obviously FALSE)
pso10

1.1.11 How many passwords will be remembered, value must be 0 through 1024
pso11

1.1.12 This setting must be either FALSE or TRUE
pso12

1.1.13 Value must be 0 through 1024
pso13

1.1.14 Value must be entered in d:hh:mm:ss format (that’s days:hours:minutes:seconds)
pso14

1.1.15 Value must be entered in d:hh:mm:ss format (that’s days:hours:minutes:seconds)
pso15

1.1.16 Value must be 0 through 65535
pso16

1.1.17 Value must be entered in d:hh:mm:ss format (that’s days:hours:minutes:seconds)
pso17

1.1.18 Value must be entered in d:hh:mm:ss format (that’s days:hours:minutes:seconds)
pso18

1.1.19 Click Finish, you can apply the PSO to a user or group by clicking More Attributes and then defining users and groups the PSO will apply to. But its much easier to apply it using AD Users and Computers
pso19

1.2 Create a PSO using PowerShell

1.2.1 First import the Active Directory Module
pso20

1.2.2 Then use the New-ADFineGrainedPasswordPolicy cmdlet, the following example creates a PSO named PSO2, with exactly the same settings as we defined in the PSO we created with ADSI Edit. The parameters for the cmdlet are pretty much self-explanatory.

New-ADFineGrainedPasswordPolicy -Name “PSO2” -Precedence 10 -ComplexityEnabled $true -Description “PSO
Number 2”-DisplayName “PSO2” -LockoutDuration “0.00:30:00” -LockoutObservationWindow “0.00:30:00” –
LockoutThreshold 3 -MaxPasswordAge “5.00:00:00” -MinPasswordAge “1.00:00:00” -MinPasswordLength 5 –
PasswordHistoryCount 7 -ReversibleEncryptionEnabled $false


2. Apply PSO to user or group

2.1 Apply PSO using AD Users and Computers

2.1.1 Open AD Users and Computers, click on view and choose Advanced Features, so you can view the System container
pso21

2.1.2 Expand the System container, and then click on the Password Settings Container, to view the PSOs we created earlier.
pso22

2.1.3 Right-click a PSO and choose properties
pso23
2.1.4 Click the Attribute Editor tab, and then choose the msDS-PSOAppliesTo attribute, then click Edit
pso24

2.1.5 Click Add Windows Account
pso25

2.1.6 Select the users and groups you want to apply the PSO to, then click OK. Here I am applying it to the Sales group
pso26

2.1.7 Click OK twice, and the PSO will be applied to the selected users and groups

2.2 Apply PSO using PowerShell

2.2.1 Import the Active Directory module
pso20

2.2.2 Use the Add-ADFineGrainedPasswordPolicySubject cmdlet to apply PSOs to users and groups. The following example will apply PSO2 to the Data and Managers groups

Add-ADFineGrainedPasswordPolicySubject PSO2 -Subjects Data,Managers


3. View a Resultant PSO for a user

Liked I explained earlier, a user can only have one effective password and account lockout policy, so if more than one PSO is applied to a user, the one with the lowest precedence number will be the effective
PSO for that user. Obviously if there are PSOs directly applied to a user, they will prevail regardless, over PSOs applied to a user through group membership.

3.1 Viewing the resultant PSO for a user in AD Users and Computers

Right-click the user, choose properties. In the properties of the user choose the Attribute Editor tab, then click filter, and make sure these four check boxes are selected
pso27

Now choose the msDS-ResultantPSO attribute, and you can view which PSO will be the effective PSO for that user.
pso28

3.2 Viweing the resultant PSO for a user in PowerShell

First the Active Directory module has to be imported (import-module activedirectory), then you can use the Get-ADUserResultantPasswordPolicy cmdlet, the following example gets the resultant PSO for the same user (rjones)

Get-ADUserResultantPasswordPolicy rjones

Additional Resoruces
Technet: AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
Technet: AD DS: Fine-Grained Password Policies

This entry was posted in Active Directory, Microsoft, Powershell, Windows Server, Windows Server 2008R2 and tagged , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback.

Leave a Reply

Your email address will not be published. Required fields are marked *

Your email address will never be published.

Captcha * Time limit is exhausted. Please reload the CAPTCHA.