Revision #15

You are currently reviewing an older revision of this page.
Go to current version

You can’t assign more than one password policy In Windows 2003 which is applied at domain label but in windows 2008(All Version) you can assign more than one password policy. Which is called “Fine-Grained Password Policy” in ADDS..

Make a note : You can’t apply the Fine-Grained Password Policy on OU label, only you can assign that with user” and “Global Security group”. 

You can create the Fine-Grained Password Policy with ADSIEDIT.MSC.

One sample settings of a FGPP

Expanding base 'CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com'...
Getting 1 entries:
Dn: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com
cn: biztest;
distinguishedName: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com;
dSCorePropagationData: 0x0 = (  );
instanceType: 0x4 = ( WRITE );
msDS-LockoutDuration: 0:00:30:00;
msDS-LockoutObservationWindow: 0:00:30:00;
msDS-LockoutThreshold: 10;
msDS-MaximumPasswordAge: 14:00:00:00;
msDS-MinimumPasswordAge: 1:00:00:00;
msDS-MinimumPasswordLength: 12;
msDS-PasswordComplexityEnabled: TRUE;
msDS-PasswordHistoryLength: 14;
msDS-PasswordReversibleEncryptionEnabled: FALSE;
msDS-PasswordSettingsPrecedence: 1;
msDS-PSOAppliesTo: CN=nor,CN=Users,DC=gs,DC=com;
name: biztest;
objectCategory: CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=gs,DC=com;
objectClass (2): top; msDS-PasswordSettings;
objectGUID: a542fe42-f9d8-44a2-9f2b-905a3dc83f48;
uSNChanged: 32931;
uSNCreated: 32927;
whenChanged: 12/7/2012 6:35:56 PM India Standard Time;
whenCreated: 12/7/2012 6:30:30 PM India Standard Time;

How to Manage Active Directory Password Policies in Windows Server 2008/R2

Find the below link for creating a Fine-Grained Password Policy

Apply PSOs to Users and Global Security Groups

For more details, see the below links. 

We can test if the policy has been applied, run the below command
dsget user <user DN> -effectivepso

Revert to this revision