Before Windows Server 2008, organizations had to rely on third-party products to define different password and account lockout policies for different sets of users in a domain. In Server 2000 and 2003, there could be only one password and account lockout policy in a domain, and it was specified in the Default Domain Policy, unless third-party products were utilized. In Windows Server 2008 and newer, organizations can define more than one password and account lockout policy in a single domain, and apply those policies to different sets of users, by using the fine-grained password policies feature.
Limitations of fine-grained password policies
- Can only be applied to users and global security groups, which means they can not be applied to OUs.
- Domain functional level must be Windows Server 2008
- By default only Domain Admins can set fine-grained password policies on users and groups, but this ability can be delegated to other users
1. Create a PSO
Fine-grained password policies are defined by creating Password Settings Objects, and then applying those to users and groups. There are several methods to create PSOs. Here we will look at two of them.
Its important to keep in mind that a user can only have one effective password and account lockout policy. So if more than one PSO is applied to a user, either directly or through group membership, the precedence value of that PSO will determine whether it will be the winning PSO or not. The PSO with the lowest precedence will have higher rank, so the PSO with the lowest precedence will be the effective PSO for a user. An exception to this rule is that PSOs directly applied to users, always prevail over PSOs applied to groups (which are again obviously applied to users through group membership).
If no PSOs are applied to a user, the Default Domain Policy will be applied to that user.
1.1 Create a PSO using ADSI Edit
1.1.1 Click Start → Administrative Tools→ ADSI Edit
1.1.2 In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.
1.1.3 Since the Default naming context will connect you to the domain naming context of your domain, just click ok
1.1.4 Double-click Default naming context, then double click DC=contoso,DC=com (the name of your domain)
1.1.5 Double-click CN=System
1.1.6 Right-click CN=Password Settings Container, choose new – Object
1.1.7 Click Next
1.1.8 Give the PSO a name, then click Next. On each setting, the Description of the setting will pretty much explain what the setting is
1.1.9 Give the PSO a precedence, this value must be greater than 0
1.1.10 This setting must be either FALSE or TRUE (usually its obviously FALSE)
1.1.11 How many passwords will be remembered, value must be 0 through 1024
1.1.12 This setting must be either FALSE or TRUE
1.1.13 Value must be 0 through 1024
1.1.14 Value must be entered in d:hh:mm:ss format (that’s days:hours:minutes:seconds)
1.1.15 Value must be entered in d:hh:mm:ss format (that’s days:hours:minutes:seconds)
1.1.16 Value must be 0 through 65535
1.1.17 Value must be entered in d:hh:mm:ss format (that’s days:hours:minutes:seconds)
1.1.18 Value must be entered in d:hh:mm:ss format (that’s days:hours:minutes:seconds)
1.1.19 Click Finish, you can apply the PSO to a user or group by clicking More Attributes and then defining users and groups the PSO will apply to. But its much easier to apply it using AD Users and Computers
1.2 Create a PSO using PowerShell
1.2.1 First import the Active Directory Module
1.2.2 Then use the New-ADFineGrainedPasswordPolicy cmdlet, the following example creates a PSO named PSO2, with exactly the same settings as we defined in the PSO we created with ADSI Edit. The parameters for the cmdlet are pretty much self-explanatory.
New-ADFineGrainedPasswordPolicy -Name “PSO2” -Precedence 10 -ComplexityEnabled $true -Description “PSO
Number 2”-DisplayName “PSO2” -LockoutDuration “0.00:30:00” -LockoutObservationWindow “0.00:30:00” –
LockoutThreshold 3 -MaxPasswordAge “5.00:00:00” -MinPasswordAge “1.00:00:00” -MinPasswordLength 5 –
PasswordHistoryCount 7 -ReversibleEncryptionEnabled $false
2. Apply PSO to user or group
2.1 Apply PSO using AD Users and Computers
2.1.1 Open AD Users and Computers, click on view and choose Advanced Features, so you can view the System container
2.1.2 Expand the System container, and then click on the Password Settings Container, to view the PSOs we created earlier.
2.1.3 Right-click a PSO and choose properties
2.1.4 Click the Attribute Editor tab, and then choose the msDS-PSOAppliesTo attribute, then click Edit
2.1.5 Click Add Windows Account
2.1.6 Select the users and groups you want to apply the PSO to, then click OK. Here I am applying it to the Sales group
2.1.7 Click OK twice, and the PSO will be applied to the selected users and groups
2.2 Apply PSO using PowerShell
2.2.1 Import the Active Directory module
2.2.2 Use the Add-ADFineGrainedPasswordPolicySubject cmdlet to apply PSOs to users and groups. The following example will apply PSO2 to the Data and Managers groups
Add-ADFineGrainedPasswordPolicySubject PSO2 -Subjects Data,Managers
3. View a Resultant PSO for a user
Liked I explained earlier, a user can only have one effective password and account lockout policy, so if more than one PSO is applied to a user, the one with the lowest precedence number will be the effective
PSO for that user. Obviously if there are PSOs directly applied to a user, they will prevail regardless, over PSOs applied to a user through group membership.
3.1 Viewing the resultant PSO for a user in AD Users and Computers
Right-click the user, choose properties. In the properties of the user choose the Attribute Editor tab, then click filter, and make sure these four check boxes are selected
Now choose the msDS-ResultantPSO attribute, and you can view which PSO will be the effective PSO for that user.
3.2 Viweing the resultant PSO for a user in PowerShell
First the Active Directory module has to be imported (import-module activedirectory), then you can use the Get-ADUserResultantPasswordPolicy cmdlet, the following example gets the resultant PSO for the same user (rjones)