Active Directory Fine Grained Passwords

Post date: Apr 16, 2013 7:56:14 AM

Server 2008 introduced 'Fine Grained Passwords', which allows multiple password policies in a single domain. Prior to Server 2008 there was a limitation of one per domain.

To achieve this you will need to create a PSO (password settings object) which applies at the user or security group level. There are 3rd party applications out there to for this, but personally I find using ADSI straight forward enough.

The domain functional level needs to be 2008 or higher.

Let's get to it!

  • Administrative Tools - ADSI Edit
  • Actions -> Connect
  • DC=domain,DC=com
  • CN=System
  • CN=Password Settings Container
  • Right click select new -> object

You'll be presented with a set of options which are explained below.

Common-Name - Friendly name to identify the policy

Password Settings Precedence - Think of metrics, if a user is in two groups the policy with the lower precedence will win

Password reversible encryption status - No need for this in our example and generally bad for security true/false

Password History Length - How many passwords does a user have to use before being allowed to return to the first

Password Complexity Status - Password Complexity true/false

Minimum Password Length - Minimum Password Length

Minimum Password Age - Minimum time before the password can be changed. This is set in Days:Hours:Minutes:Seconds, so for 1 day you would use 1:00:00:00

Maximum Password Age - Maximum time a password can be used This is set in Days:Hours:Minutes:Seconds, so for 90 days you would use 90:00:00:00

Lockout Threshold - How many times the password can be entered incorrectly before the account is locked out

Observation Window - The time in which incorrect passwords are logged, for example if we set 5 above, and 00:00:20:00 for this, if more than 5 incorrect passwords are typed within a 20 minute period the account will get locked out

Lockout Duration - If the account is locked out, the duration in which it stays locked out. This is set in Days:Hours:Minutes:Seconds, so for 1 hour you would use 00:01:00:00

  • Select 'More Attributes'
  • Select a property to view and change to 'PSO Applies to'

Get the DN (distinguished name) from ADUC (active directory users and computers). You will need to select advanced features in the view menu at the top. Double click on the group or user this PSO will apply to, select the attribute editor tab and find the distinguishedName attribute a small distance down. Copy and paste this into the edit attribute box in ADSI edit.

We can test if the policy has been applied by resetting a password for a user in ADUC or by typing dsget user DN -effectivepso , if dsget succeeded is returned without anything else displayed you went wrong somewhere as this means the default domain password policy is still in effect. This is what you want to see: