In Active Directory, there can be only one Password Policy and Account-Lockout Policy per domain. Situations may arise in which setting different account policies for different types of users will be required. For example, employees in the finance department may need a stronger password policy and account lockout policy than employees in the production department. Similarly, the manager of a department may need a different account policy than his/her subordinates.
With the release of Windows Server 2008 Operating System, Active Directory gained one major feature that was missing in the previous versions. Fine-Grained Password Policy (FGPP), which gives AD the ability to set different password policy and account lockout policy for different set of users in a domain was introduced.
FGPP can be created using the Active Directory Services Interface Editor (ADSI Edit). The following steps describe how to create a FGPP:
- Open ADSI Edit tool, Start Menu → Administrative Tools → ADSI Edit
- In the Menu Bar on the ADSI Edit console, select Action → Connect to
- In the Connection Settings dialog box, select Default Naming Context as the connection point and Default Domain as the computer and click OK
- Now, double-click the Default Naming Context and then double-click DC=domainame,DC=com
- Double-click CN=System → CN=Password Settings Container
- Right-click CN=Password Settings Container and select New → Object
- In the Create Object dialog box, under select a class, choose msDS-PasswordSettings and click Next
- Enter the values for all the attributes in the correct syntax and continue with the wizard
- After entering appropriate values for each attribute, the Create Object wizard will show the Finish page
- In the Finish page, click More Attributes. Choose Both from the Select which properties to view drop down list and choose msDS-PSOAppliesTo from the Select a property to view drop down list
- Under the Attribute Values section, enter the distinguishedName of the user or group to which the FGPP will be applied and click Add. Multiple values can be added.
- Once all the users and groups are added, click OK and then click Finish to close the wizard
FGPP can be applied only to user objects and global security groups. FGPP cannot be applied directly to an OU. However, by creating a shadow group, FGPP can be applied to all users and groups in an OU. A shadow group is a global security group that is logically mapped to an OU to enforce the FGPP. By adding all the users in the OU as members of the shadow group, the FGPP applied to the shadow group will be enforced on the users as well. Use the below command to create and map a shadow group to an OU:
dsquery user “OU=TestOU,DC=domain1,DC=com” | dsmod group “CN=shadowgroup,OU=TestOU,DC=domain1,DC=com” –chmbr
When new users are added to the OU, run the above command to automatically add the new users as members of the shadow group and apply FGPP.
By default, only members of the Domain Admins group can create and set FGPP to a user or group.
The FGPP applied directly to a user takes precedence over the FGPP applied to the group in which the user is a member. Also, if more than one FGPP is applied to a user, then the FGPP with the lowest msDS-PasswordSettingsPrecedence will be applied. If two FGPPs with the same msDS-PasswordSettingsPrecedence are applied to a user, then the FGPP with the smallest GUID (Globally Unique Identifier) will be applied to the user.
To determine which FGPP is applied to a user, an attribute called msDS-ResultantPSO can be used. It holds the distinguishedName of the FGPP applied to the user. The msDS-ResultantPSO can be viewed through the Attribute Editor tab of the user properties in ADUC.