Windows 2008 Fine Grained Password Policies

If you’re like me you’ve always heard how 2008 introduced fine grained password policies (i.e the ability to have more than one password policy on the domain), but never actually had a need to do it. Typical needs for it would be if your admin accounts need more restrictive policies than your non-admin accounts. Which we should all really be doing!

Well now you’ve started looking into them and you’ve realized there’s no easy/great way to implement them in the GUI. You either need to do it directly in ADSIEdit or via Powershell. Both have their benefits, although Powershell is easier. Powershell also has some weird restrictions on what you can set from the command, so you have to go back and edit it after.

PSO’s (password policies) are also a little weird in that they don’t apply directly to OU’s, which is probably how you want to apply them. They only apply to user objects or to Global Groups. I’ll cover in another article how to auto-populate a group based on OU.

    1. Create a global group called whatever you want. For my example I used G_FineGrained_Elev.
    2. Because I want this to apply to the builtin Domain Admins accounts plus any other OU’s I happen to specify I also create other Global Groups specific to each OU I want (i.e. G_FG_Admins or whatever). Then I populate my 1st group with Domain Admins and this new group.
    3. Open Powershell
import-module ActiveDirectory
New-ADFineGrainedPasswordPolicy -name "Elev_PSO" -Precedence 200 -Description "The Elevated Accounts Password Policy" -DisplayName "Elevated Accounts PSO" -ComplexityEnabled $True -lockoutduration "0.00:30:00" -lockoutobservationwindow "0.00:30:00" -lockoutthreshold 3 -minpasswordage "7.00:00:00" -passwordhistorycount 4 -reversibleencryptionenabled $false -maxpasswordage "60.00:00:00" -minpasswordlength 15
Add-ADFineGrainedPasswordPolicySubject Elev_PSO -subjects 'G_FineGrained_Elev'

And that’s pretty much it.

  • -Precedence = you can define an order of application for PSO’s if a user gets more than 1. Lowest precedence wins
  • -ComplexityEnabled $True or $False = You want it complex, don’t you?
  • -lockoutduration “0.00:30:00” = How long to stay locked out. In the format of Day/Hour/Minute
  • -lockoutthreshold = How many attempts before locking it out
  • -minpasswordlength = the whole reason you’re doing this
  • -maxpasswordage = I’m calling this out on the odd chance you want to set the passwords to never expire. Not a good idea but there may be cause to do this. You need to set it to a value of (Never) and it can be edited in ADSIEdit or in the attribute editor on the PSO object.

To view your PSO after creation, open ADUC and click on View –> Advanced Features. Browse the System container and open the Password Settings Container. You can then open and edit the attributes on your objects.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s