Resources For IT Professionals
Post an article
Wikis - Page Details
  • First published by (eMicrosoft Community Contributo)
  • When: 12 Sep 2011 11:46 PM
  • Last revision by (cMVP, Microsoft Community Contributo)
  • When: 13 Sep 2013 3:20 PM
  • Revisions: 25
  • Comments: 6
Options
RSSSubscribe to Article (RSS)
Can You Improve This Article?
Positively! Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions.
Wiki  >  TechNet Articles  >  AD DS: Fine-Grained Password Policies

AD DS: Fine-Grained Password Policies

AD DS: Fine-Grained Password Policies

Table of Contents


You can’t assign more than one password policy In Windows 2003 which is applied at domain label but in windows 2008(All Version) you can assign more than one password policy. Which is called “Fine-Grained Password Policy” in ADDS..

Make a note : You can’t apply the Fine-Grained Password Policy on OU label, only you can assign that with user” and “Global Security group”. 

You can create the Fine-Grained Password Policy with ADSIEDIT.MSC.



One sample settings of a FGPP



Expanding base 'CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com'...
Getting 1 entries:
Dn: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com
cn: biztest;
distinguishedName: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com;
dSCorePropagationData: 0x0 = (  );
instanceType: 0x4 = ( WRITE );
msDS-LockoutDuration: 0:00:30:00;
msDS-LockoutObservationWindow: 0:00:30:00;
msDS-LockoutThreshold: 10;
msDS-MaximumPasswordAge: 14:00:00:00;
msDS-MinimumPasswordAge: 1:00:00:00;
msDS-MinimumPasswordLength: 12;
msDS-PasswordComplexityEnabled: TRUE;
msDS-PasswordHistoryLength: 14;
msDS-PasswordReversibleEncryptionEnabled: FALSE;
msDS-PasswordSettingsPrecedence: 1;
msDS-PSOAppliesTo: CN=nor,CN=Users,DC=gs,DC=com;
name: biztest;
objectCategory: CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=gs,DC=com;
objectClass (2): top; msDS-PasswordSettings;
objectGUID: a542fe42-f9d8-44a2-9f2b-905a3dc83f48;
uSNChanged: 32931;
uSNCreated: 32927;
whenChanged: 12/7/2012 6:35:56 PM India Standard Time;
whenCreated: 12/7/2012 6:30:30 PM India Standard Time;

How to Manage Active Directory Password Policies in Windows Server 2008/R2


http://redmondmag.com/Articles/2011/08/01/Managing-Active-Directory-Password-Policies.aspx?Page=1

Find the below link for creating a Fine-Grained Password Policy

http://blog.thesysadmins.co.uk/active-directory-fine-grained-passwords-with-adsi-edit.html 
http://showmehowtodoit.com/2012/step-by-step-fine-grained-password-policy-in-windows-2008/

Apply PSOs to Users and Global Security Groups


http://technet.microsoft.com/en-us/library/cc731589(WS.10).aspx

For more details, see the below links.

http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx 

You can find the PSO setting with the dsquery command
C:\>dsquery * "CN=FirstFGPP,CN=Password Settings Container,CN=System,DC=contoso,DC=com" -scope base -attr *
We can test if the policy has been applied, run the below command
C:\>dsget user <user DN> -effectivepso

Fun and Games Active Directory Password Policies-Ask Premier Field Engineering (PFE) Platforms

http://blogs.technet.com/b/askpfeplat/archive/2013/01/14/fun-and-games-active-directory-password-policies.aspx

 


, , , , , , , , , , , [Edit tags]
Leave a Comment
  • Please add 1 and 2 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • 13 Sep 2013 3:20 PM

    Richard Mueller edited Revision 23. Comment: Fix TOC, replace RGB values with color names in HTML to restore colors

  • 13 Sep 2013 3:04 PM

    Richard Mueller edited Revision 22. Comment: Added tag, changed tag "Windows 2008 R2" to "Windows Server 2008 R2"

  • 14 Jan 2013 5:20 PM

    Ed Price - MSFT edited Revision 15. Comment: Space in title

  • 30 Nov 2012 4:02 AM

    Fernando Lugão Veltem edited Revision 8. Comment: removed (en-US) from the title

Page 1 of 1 (4 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Posted by
    on 13 Sep 2013 3:20 PM

    Richard Mueller edited Revision 23. Comment: Fix TOC, replace RGB values with color names in HTML to restore colors

  • Posted by
    on 13 Sep 2013 3:04 PM

    Richard Mueller edited Revision 22. Comment: Added tag, changed tag "Windows 2008 R2" to "Windows Server 2008 R2"

  • Posted by
    on 14 Jan 2013 5:20 PM

    Ed Price - MSFT edited Revision 15. Comment: Space in title

  • Posted by
    on 30 Nov 2012 4:02 AM

    Fernando Lugão Veltem edited Revision 8. Comment: removed (en-US) from the title

  • Posted by
    on 27 Nov 2012 1:41 AM

    Just learning that right now. :)

  • Posted by
    on 27 Nov 2012 12:47 AM

    great technet article thanks.

Page 1 of 1 (6 items)