Resources For IT Professionals
Page Details
  • First published by (eMicrosoft Community Contributo)
  • When: 12 Sep 2011 11:46 PM
  • Last revision by (cMVP, Microsoft Community Contributo)
  • When: 13 Sep 2013 3:20 PM
  • Revisions: 25
  • Comments: 6
Options

Revision #20

Wiki  >  TechNet Articles  >  AD DS: Fine-Grained Password Policies  >  Revision #20
AD DS: Fine-Grained Password Policies
You are currently reviewing an older revision of this page.
Go to current version

Table of Contents


You can’t assign more than one password policy In Windows 2003 which is applied at domain label but in windows 2008(All Version) you can assign more than one password policy. Which is called “Fine-Grained Password Policy” in ADDS..

Make a note : You can’t apply the Fine-Grained Password Policy on OU label, only you can assign that with user” and “Global Security group”. 

You can create the Fine-Grained Password Policy with ADSIEDIT.MSC.



One sample settings of a FGPP



Expanding base 'CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com'...
Getting 1 entries:
Dn: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com
cn: biztest;
distinguishedName: CN=biztest,CN=Password Settings Container,CN=System,DC=gs,DC=com;
dSCorePropagationData: 0x0 = (  );
instanceType: 0x4 = ( WRITE );
msDS-LockoutDuration: 0:00:30:00;
msDS-LockoutObservationWindow: 0:00:30:00;
msDS-LockoutThreshold: 10;
msDS-MaximumPasswordAge: 14:00:00:00;
msDS-MinimumPasswordAge: 1:00:00:00;
msDS-MinimumPasswordLength: 12;
msDS-PasswordComplexityEnabled: TRUE;
msDS-PasswordHistoryLength: 14;
msDS-PasswordReversibleEncryptionEnabled: FALSE;
msDS-PasswordSettingsPrecedence: 1;
msDS-PSOAppliesTo: CN=nor,CN=Users,DC=gs,DC=com;
name: biztest;
objectCategory: CN=ms-DS-Password-Settings,CN=Schema,CN=Configuration,DC=gs,DC=com;
objectClass (2): top; msDS-PasswordSettings;
objectGUID: a542fe42-f9d8-44a2-9f2b-905a3dc83f48;
uSNChanged: 32931;
uSNCreated: 32927;
whenChanged: 12/7/2012 6:35:56 PM India Standard Time;
whenCreated: 12/7/2012 6:30:30 PM India Standard Time;

How to Manage Active Directory Password Policies in Windows Server 2008/R2


http://redmondmag.com/Articles/2011/08/01/Managing-Active-Directory-Password-Policies.aspx?Page=1

Find the below link for creating a Fine-Grained Password Policy

http://blog.thesysadmins.co.uk/active-directory-fine-grained-passwords-with-adsi-edit.html 
http://showmehowtodoit.com/2012/step-by-step-fine-grained-password-policy-in-windows-2008/

Apply PSOs to Users and Global Security Groups


http://technet.microsoft.com/en-us/library/cc731589(WS.10).aspx

For more details, see the below links.

http://blogs.technet.com/b/seanearp/archive/2007/10/06/windows-server-2008-fine-grained-password-policy-walkthrough.aspx

http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx 

We can test if the policy has been applied, run the below command

dsget user <user DN> -effectivepso

Fun and Games Active Directory Password Policies-Ask Premier Field Engineering (PFE) Platforms

http://blogs.technet.com/b/askpfeplat/archive/2013/01/14/fun-and-games-active-directory-password-policies.aspx

 


Revert to this revision