In this guide, you will learn how to create a fine grained password policy in Active Directory.
I’ll show you to methods.
The first method will use the Active Directory Administrative Center Console (GUI) and the second will be using PowerShell.
In addition, I’ll show you how to quickly check what password policies you have in your domain.
What is the purpose of Fine Grained Password Policy?
Active Directory is configured with a single password policy that is applied to all user accounts, this policy is defined in the default domain policy.
There are times when you need a group of users to have a different password policy. For example, you might want to have your privileged accounts (domain admins) have a much stronger password than regular user accounts.
With fine grained password policies, you can easily target specific users or groups and assign them a separate password policy.
Method 1: Create Fine Grained Password Policy Using ADAC
Step 1: Install Remote Server Administrator Tools (RSAT)
You may already have this installed, if not you will need it. It will be needed if you use the ADAC console or PowerShell.
If you need install steps then check out my guide -> Install RSAT on Windows 10.
Step 2: Open Active Directory Administrative Center
Step 3: Create a Policy
Follow these steps to create a new policy.
1. In ADAC click on your domain.
2. Click on the System folder.
3. Click the Password Settings Container
Click on the password settings container then New -> Password Settings
You should now be at the Create Password Settings screen.
Now you can configure the policy settings and apply it to a user or group. You have the same password policy settings as you do in the default domain policy.
In this example, I want to set a stronger password for my server administrators.
I named my password policy “Server-Admin-PW-Policy” and the precedence of 1.
Then I changed the minimum password length to 15 and set the account lockout policy.
Now it just needs to be applied to a user or group.
Click on add.
Select users or group. In this example, I’m assigning this to a group called “Server-Admins”
Click OK on the Create Password Settings screen.
Done. You have completed creating a fine grained password policy.
Method 2: Create Fine Grained Password Policy Using PowerShell
The cmdlet New-ADFineGrainedPasswordPolicy is used to create new Active Directory fine grained password policies.
In this example, I’m just changing the minimum password length, gave the policy a name and assigned it precedence 1.
New-ADFineGrainedPasswordPolicy -name "Server-Admins-Policy" -Precedence 1 -MinPasswordLength 15
Now the policy is created it needs to be assigned to users or a group.
Add-ADFineGrainedPasswordPolicySubject -Identity "Server-Admins-Policy" -Subjects "server-admins"
-identity is the name of the policy and -subject is the name of the group or user you want the policy assigned to.
New-ADFineGrainedPasswordPolicy – Complete command syntax
Add-ADFineGrainedPasswordPolicySubject – Complete command syntax
How to View Fine Grained Password Policies
It is pretty strange that you can create the password policy in the console but it provides no way to view the policies. (If there is a way please post it in the comments below).
No problem we can use PowerShell to view all domain password policies.
Check Fine Grained Password Policies
Get-ADFineGrainedPasswordPolicy -filter *
The above command will display all domain fine grained password policies.
Get the Resultant Password Policy for a User
Get-ADUserResultantPasswordPolicy -Identity UserName
Use this command if you have multiple fine grained passwords defined. This will show you which one is being applied to the user.
Get the Default Domain Password Policy
Another option to view the fine grained password policies is by using the Active Directory Reporting Tool.
Click on Reports -> Security -> Fine grained password policy
Click run and you will see a list of all domain fine grained password policies.
You can see above the tool is showing I have 3 fine grained password policies. The Active Directory Reporting tool includes over 200 pre built Active Directory Reports.
Prior to Windows Server 2008, managing multiple password policies was very difficult. With fine grained password policies, you can easily create custom password policies for specific users or groups. This is beneficial so you can stay in compliance with industry regulations (PCI, HIPPA, SOX, etc) or define stronger passwords for a subset of users such as anyone that has privileged rights.