In this guide, I will show you two methods for creating fine grained password policies.
The first method will use the Active Directory Administrative Console (GUI) the second will be using PowerShell.
In addition, I’ll show you how to quickly check what password policies you have in your domain.
Here is the problem…
Active Directory is configured with a single password policy that is applied to all user accounts, this policy is defined in the default domain policy.
There are times when you need a group of users to have a different password policy. For example, you might want to have your privileged accounts (domain admins) have a much stronger password than regular user accounts.
With fine grained password policies, you can easily target specific users or groups and assign them a separate password policy.
Method 1: Create Fine Grained Password Policies Using ADAC
Step 1: Install Remote Server Administrator Tools (RSAT)
You may already have this installed, if not you will need it. It will be needed if you use the ADAC console or PowerShell.
If you need install steps then check out my guide -> Install RSAT on Windows 10.
Step 2: Open Active Directory Administrative Center
Step 3: Create a Policy
Follow these steps to create a new policy
1. In ADAC click on your domain. (Mine is ad (local)).
2. Click on the System folder
3. Click the Password Settings Container
4. Click new in the right side menu
You should now be at the Create Password Settings screen.
Now you can configure the policy settings and apply it to a user or group.
In this example, I want to set a stronger password for my server administrators.
I gave the policy a name of “Server-Admin-PW-Policy” and the precedence of 1.
Then I changed the minimum password length to 15.
Now it just needs to be applied to a user or group.
Click on add
Select users or group. In this example, I’m assigning this to a group called “Server-Admins”
Click OK on the Create Password Settings screen.
Done. You have completed creating a fine grained password policy.
Method 2: Create Fine Grained Password Policies Using PowerShell
The cmdlet New-ADFineGrainedPasswordPolicy is used to create new Active Directory fine grained password policies.
In this example, I’m just changing the minimum password length, gave the policy a name and assigned it precedence 1.
New-ADFineGrainedPasswordPolicy -name "Server-Admins-Policy" -Precedence 1 -MinPasswordLength 15
Now the policy is created it needs to be assigned to users or a group.
Add-ADFineGrainedPasswordPolicySubject -Identity "Server-Admins-Policy" -Subjects "server-admins"
-identity is the name of the policy and -subject is the name of the group or user you want the policy assigned to.
Add-ADFineGrainedPasswordPolicySubject – Complete command syntax
View Domain and Fine Grained Password Policies
The easiest way to view the password policies is by using PowerShell.
Get the domain password policy
Get fine grained password policies
Get-ADFineGrainedPasswordPolicy -filter *
Get the resultant password policy for a user
Use this command if you have multiple fine grained passwords defined. This will show you which one is being applied to the user.
Get-ADUserResultantPasswordPolicy -Identity UserName
Prior to Windows Server 2008, managing multiple password policies was very difficult. With fine grained password policies, you can easily create custom password policies for specific users or groups. This is beneficial so you can stay in compliance with industry regulations (PCI, HIPPA, SOX, etc) or define stronger passwords for a subset of users such as anyone that has privileged rights.
Recommended Tool: SolarWinds Server & Application Monitor
This utility was designed to Monitor Active Directory and other critical services like DNS & DHCP. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.