Everything you need to know about fine-grained password policies

What you will learn from this article:

Prior to Windows Server 2008, only one password policy and account lockout policy that was defined in the Default Domain Policy could be applied to all users in a domain. To help organizations apply different password and account lockout settings for different sets of users within the same domain, Windows server 2008 introduced fine-grained password policies (FGPP). In this article, we shall discuss briefly about account policies, and then move on to see what fine-grained password policies are, their scope, the difference between FGPP and default domain policy, and finally, how to create, modify, and delete FGPP.

Account policies

Before diving into what fine-grained password policies are, we must understand what account policies are. Account policies are a set of security policies that control the process of user authentication, and the account’s lockout behavior. Account policies are classified into two sections:

  • Password policies
  • Account lockout policies

Password policies

Password policies are a set of account policies that define what a user account’s password requirements are. There are 6 password policies, and they define the following conditions:

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Password must meet complexity requirements
  • Store passwords using reversible encryption

You can learn more in detail about password policies here.

Account lockout policies

Account lockout policies are a set of account policies that define when and for how long a user account should be locked if an attempt has been made to brute force their password. There are 3 account lockout policies, and they define the following conditions:

  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout counter after

You can learn more about account lockout policies here.

What is fine-grained password policy?

The main drawback of default domain policies was that they are applied to all the users within the domain. To allow administrators to enforce different policies to different sets of users, Microsoft launched a new functionality called fine-grained password policies (FGPP) in Windows Server 2008. These policies can be set in what are called as password setting objects (PSO). FGPP is a derivative of account policies, so that means it includes not only password policies, but also account lockout policies.

What is fine-grained password policy?

The main drawback of default domain policies was that they are applied to all the users within the domain. To allow administrators to enforce different policies to different sets of users, Microsoft launched the FGPP functionality in Windows Server 2008. These policies can be set in what are called as password setting objects (PSO).

Fine-grained password policy vs default domain policies

With the introduction of FGPP in Windows Server 2008, AD now has two methods of implementing password policies.

The first method is using the default domain policy. These policies are implemented using Group Policy objects (GPO). When password policies are configured through this method, there can be only one password policy settings for the entire domain. If you want another set of password policy settings for a specific group of users, you would need to create a separate domain.

The second method is using AD’s fine-grained password policies. Instead of using GPOs, FGPP uses PSOs to implement password policy settings. The key differentiating factor is that multiple password policies can be set inside a single domain using FGPP.

Scope of FGPP

In FGPP, a PSO can be linked to users or groups that are inside the same domain as the PSO. One PSO can be linked to multiple users or groups, thanks to an attribute called msDS-PSOAppliesTo. This attribute contains a forward link that can be attached to only one object. However, since this attribute can have multiple values, each value can attach itself with an object, and so, one PSO can attach to multiple objects.

How to create a fine-grained password policy

To implement fine-grained password policies in your domain, you need to first set the domain functional level to Windows Server 2008 or higher. You can learn more about domain functional levels and how to raise them in this article. Once your domain functional level has been raised, start creating FGPPs.

To configure fine-grained password policies, you would need to access the Active Directory Administrative Centre (ADAC). ADAC is a tool built on top of PowerShell. You can open ADAC by navigating to:

  • Start, and search for PowerShell.
  • Right click on the PowerShell icon and click Run as Administrator.
  • In the PowerShell window that opens, type dsac.exe and hit Enter.

Now, let’s see how you can create a new PSO.

  • In the ADAC UI, you will find the Active Directory tree towards the left. Click the System container.
  • Navigate to the Password Settings container, click on it, and then click New in the Tasks pane. You will be greeted with a Create password Settings window.
  • In the window, you can create a name and precedence for the PSO, and define all the password settings, and also define the account lockout settings if you enable them.
  • Once you have defined the password policies, under the Directly Applies to pane, choose the users or groups to whom you want to link with this PSO with.
  • Once you have defined the policies and assigned the users or groups, click OK.

You now have successfully created a fine-grained password policy that applies only to a select few users or groups in the domain.

How to edit a fine-grained password policy

Editing the FGPP is a straightforward process. Here’s how you can do it:

  • Go to Start, and search for PowerShell.
  • Right click on the PowerShell icon and click Run as Administrator.
  • In the PowerShell window that opens, type dsac.exe and hit Enter.
  • In the ADAC UI, you will find the Active Directory tree towards the left. Click the System container.
  • Navigate to the Password Settings container, and then click on it.
  • You will be able to see the PSOs that you have already created. Click on the PSO that you want to edit, and in the Tasks pane, click Properties.

In the properties panel, you will be able to view and edit the password and account lockout policies that you had defined earlier.

How to delete a fine-grained password policy

To delete a PSO, you will have to navigate to the password settings container again.

Editing the FGPP is a straightforward process. Here’s how you can do it:

  • Go to Start, and search for PowerShell.
  • Right click on the PowerShell icon and click Run as Administrator.
  • In the PowerShell window that opens, type dsac.exe and hit Enter.
  • In the ADAC UI, you will find the Active Directory tree towards the left. Click the System container.
  • Navigate to the Password Settings container, and then click on it.
  • You will be able to see the PSOs that you have already created. Click on the PSO that you want to edit, and in the Tasks pane, click Properties.

In the properties window, if the Protect from accidental deletion option is checked, uncheck it. Once this is done, you will be able to delete the PSO. Go back to the password settings container and click the PSO you want to delete. Then, in the Tasks pane, you can click Delete, and then click OK in the confirmation box that pops up.

Comments

comments

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)