A quick description of fine grained password policies is that you can specify multiple password policies within a single domain. You can use fine-grained password policies to apply different restrictions for password and account lockout policies to different sets of users in a domain
One of the nice features introduced in Windows Server 2010 “Server 8 beta” AD DS is the ability to configure fine grained password policies through GUI.
In this post we will walk through the configuration steps to create and assign different password policies to different user groups within the same Active Directory Domain, table below gives an example of different password policy requirements:
|
Group Name/Setting |
Group1 |
Group2 |
Group3 |
|
Policy Name |
Poli-Group1 |
Poli-Group2 |
Poli-Group3 |
|
Minimum password length |
2 |
6 |
19 |
|
Minimum password age |
1 |
2 |
14 |
|
Enforce password history |
24 |
15 |
none |
To configure password policies as per the table above
1. Login using a domain admin account to a machine that has Active Directory administration tools and open Server Manager.
2. Go to tools and open Active Directory Administrative Center.
3. Click on Tree View.
4. Navigate to System container then Password Settings Container.
5. Right click Password Settings Container, then New-Password Policy
6. Specify the password policy settings for each of the required policies
7. Click add to link the created policy to users security group “Group1”
8. Repeat steps 5-7 for the remaining policies.
