AD: Nitty Gritty of Fine-Grained Password Policies

Hey everyone, Theron (aka T-) here, Senior Consultant with Microsoft Consulting Services (MCS) specializing in Active Directory.

Fine-Grained Password Policies (FGPP) have been around for a while, but in my experience with various customers, they aren’t used often, if at all. This post is an attempt to simplify them, provide some details and list some of the PowerShell CMDLets you can use to manage them. There are plenty of resources out there that outline how to implement them, so I won’t get into that.

FGPP? What?

Windows Server 2008 and above operating systems provide organizations with a way to define different password and account lockout policies for different sets of users in a domain. In Windows 2000 Server and Windows 2003 Server Active Directory domains, only one password policy and account lockout policy could be applied per domain. These settings were specified in the Default Domain Policy for the domain. Thus, organizations that wanted different password and account lockout settings for different sets of users had to either create a password filter or deploy multiple domains.

You can use Fine-Grained Password Policies to specify multiple password policies within a single domain. You can also use them to apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply more restrictive settings to privileged accounts and less restrictive settings to the accounts of regular users. In other cases, you might want to apply a special password policy for accounts whose passwords are synchronized with other data sources.

For more details, refer to this.

‘Fine-Grained’ Details:

Here are some of the details of FGPPs that may help you understand their use a little better:

  • For the Fine-Grained Password Policy and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows ServerĀ 2008 or greater.
  • Fine-Grained Password Policies apply only to global security groups and user objects (or inetOrgPerson objects if they are used instead of user objects).
  • A Fine-Grained Password Policy is referred to as a Password Settings Object (PSO) in Active Directory.
  • Permissions: By default, only members of the Domain Admins group can create PSOs. Only members of this group have the Create Child and Delete Child permissions on the Password Settings Container object in Active Directory.
    • In addition, only members of the Domain Admins group have Write Property permissions on the PSO by default. Therefore by default, only members of the Domain Admins group can apply a PSO to a group or user.
    • The appropriate rights to create and apply PSOs can be delegated, if needed.
  • Delegation: You can delegate Read Property permission of a PSO to any other group (such as Help desk personnel or a management application) in the domain or forest. This allows the delegated group to see the actual settings in a PSO.
    • Users can read the msDS-ResultantPSO or the msDS-PSOApplied attributes of their user object in Active Directory, but these attributes display only the distinguished name of the PSO that applies to the user. The user cannot see the settings within that PSO.
  • A PSO has attributes associated with all of the settings that can be defined in Account Policies section of a Group Policy, except for Kerberos settings.
    • Enforce password history
    • Maximum password age
    • Minimum password age
    • Minimum password length
    • Passwords must meet complexity requirements
    • Store passwords using reversible encryption
    • Account lockout duration
    • Account lockout threshold
    • Reset account lockout after

In addition, a PSO also has the following attributes:

  • msDS-PSOAppliesTo. This is a multivalued attribute that is linked to users and/or group objects.
  • Precedence. This is an integer value that is used to resolve conflicts if multiple PSOs are applied to a user or group object.
    • Settings from multiple PSOs are not cumulative. Only the PSO with the highest precedence, lowest number, is applied.

Read that last bullet again, it’s important!!

PowerShell and all of its Goodness:

While there are several ways to get information about a PSO, assign a PSO, remove assignment of a PSO, or to figure out what settings are applied to a user/group, PowerShell is the easiest…in my opinion.

Get all of the details of a PSO:

Get-ADFineGrainedPasswordPolicy '<PSOName>' -Properties *

Get the groups and users to which a PSO is applied:

Get-ADFineGrainedPasswordPolicySubject -Identity '<PSOName>'

Get the resultant password policy for a group or user:

Get-ADUserResultantPasswordPolicy -Identity '<TargetName>'

Assign PSO to a group or user:

Add-ADFineGrainedPasswordPolicySubject -Identity '<PSOName>' -Subjects '<GroupOrUser>'

Remove PSO from a group or user:

Remove-ADFineGrainedPasswordPolicySubject -Identity '<PSOName>' -Subjects '<GroupOrUser>'

To recap, Fine-Grained Password Policies are a way to apply different password/account lockout policies to various users/groups within a domain. Using them to shorten the password age of your administrative accounts is a sure way of improving security by forcing their passwords be changed more often. Who isn’t up for improved security?

Roll Tide!


Leave a Reply