Fine-Grained Password Policy using Windows Server 2012.

In the past, there was a time when Active Directory was restricted with a single password policy per domain. As and when the requirement for having different password policies for different group of users (multi tenancy and isolation of security domains) within the organization become inevitable, Microsoft decided to fine-grain the password policy so that the administrators could deploy more than one password policy within a single domain.

Even though Microsoft introduced the fine grained password policies in windows server 2008, the configuration was not user friendly. Windows server 2012 came with a truly user-friendly graphical user interface tool that makes it very easy to deploy a fine-grained password policy.

Defining the security requirements

Before configuring fine-grained password policies, the organizational security structure should be defined clearly by creating necessary groups.  Consider that your organization requires a separate password policy for the domain administrators, service accounts and normal users.

Let us take this typical use case scenario as our example where the organization will have three different password policies:

  • A high security password policy for domain administrators with strict settings for passwords expire, complexity and so on
  • A low security user password policy with a setting that is not strict for passwords expire, complexity etc…
  • A service account password policy targeted at service accounts with a strict settings for minimum password length complexity etc…

In order to configure fine-grained password policy, go to Windows Server 2012 Server Manager, select Active Directory Administrative Center from the Tools menu.

FGPP-1

From the List View in Active Directory Administrative Center, select Users and verify that the security group exists and its membership is correct. In our scenario, we have ACME-Svc, ACME-Admin and ACME-Users groups.

FGPP-2

To create the FGPP, switch to the Tree View in Active Directory Administrative Center and navigate to System > Password Settings Container.

FGPP-3

Click on  New and then select Password Settings.

FGPP-4

In the Create Password Settings windows, you can specify all the familiar password policy settings by using a user-friendly single screen interface.

FGPP-5

All other password settings are familiar except the precedence. The precedence field accepts arbitrary integer values in which lower numbers denote higher priority.

Even though it is not recommended, you can apply more than one password settings to an Active Directory user. In this specific scenario, if user is member of ACME-Users group as well as ACME-Admin group, the password settings linked with ACME-Admin group will be enforced to the user because the precedence number (1) in password settings linked with ACME-Admin is lower than the precedence number (100) in password settings linked with ACME-Users.

FGPP-6

FGPP-7

Create password settings based on the required user groups and make sure the respective groups are added to the concerned password settings policy.

FGPP-8

Below TechNet link provides details of the password policy settings. http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

Now we have successfully created our fine-grained password policy. We can verify the password settings associated with any user object in Active Directory by opening Active Directory Administrative Centre, then right click on the user and select view resultant password settings. This will bring up the password setting associated with the objects.

FGPP-9

The following message box appears when you try to change the password for a user account with a fine-grained password policy applied to it and that password fails to meet the policy requirements:

FGPP-10

Advertisements

About Jayachandran PK
My passion is for Microsoft technologies and how if properly implemented, they can provide actual value for an organization especially in the field of infrastructure, virtualization and system monitoring. I work for the biggest Microsoft partner in Kuwait, specialized in project consultation and implementation services for enterprise clients. When I'm not at work, I try to contribute back through a charitable organization dedicated to prompting cultural values of Kerala. In my free time, I dabble in gardening and am also an avid solar power aficionado.

2 Responses to Fine-Grained Password Policy using Windows Server 2012.

  1. Tony says:

    How can you check to see when a user account password is to expire using FGPP; since net commands only work for GPOs?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: