Fine Grained Password Policies GUI in Windows Server 2012 ADAC

Hello my name is Paulo Viralhadas and I'm a Premier Field Engineer at Microsoft.

Have you ever used Fine Grained Password Policies?

This feature introduced in Windows Server 2008 allows you to override password policy set at the domain level.

It applies password settings to subsets of users that you may like to differentiate from the domain policy.

In Windows Server 2012 we added a GUI (Graphical User Interface) so now you don't have to use ADSIedit, LDP or Powershell to create PSOs (Password Settings Objects).

Note that PSOs are not like GPOs:

1. They're not managed via GPMC.

2. They're not linked to OUs, Sites or Domains.

PSOs apply to User and Group objects (ie. ultimately apply to User Accounts)

As an example, with FGPP you can have a Domain password policy that defines a minimum password length of 8 characters which will be applied to all users in the domain.

Then have a PSO that sets 24 characters for all user accounts that are members of the "All Service Accounts".

I added the following video that walks you through the steps needed to implement this (once again I've kept it short and simple and no sound).

Anyway here's the high level steps you have to follow:

1. Using ADAC (Windows 8 or Server 2012) open the Password Settings container (under System container).

2. Add a New PSO (Password Settings Object).

3. Configure the desired PSO properties (Max password Age, Min Password Length, etc).

4. Assign the PSO to a user or group

Hope it helps!

Enjoy!

Comments

  • Anonymous
    January 01, 2003
    very helpful! thanks!
  • Anonymous
    March 27, 2014
    great! thanks!