Articles Tagged ‘2012R2’

Installation and Configuration of Fine-Grained Password Policy for Windows Server 2012

windows-2012-install-setup-fine-grained-password-policy-01aMicrosoft introduced Fine-Grained Password Policy for the first time in Windows Server 2008 and the policy has been part of every Windows Server since then. Fine-Grained Password Policy allows overcoming the limitations of only one password policy for a single domain. A brief example is that we apply different password and account lockout policies to different users in a domain with the help of Fine-Grained Password Policies.
 
This article discusses the Fine-Grained Password Policy as applicable to Windows Server 2012, and the different ways of configuring this policy. Windows Server 2012 allows two methods of configuring the Fine-Grained Password Policy:

1. Using the Windows PowerShell

2. Using the Active Directory Administrative Center or ADAC

In earlier Windows Server editions, it was possible to configure Fine-Grained Password Policy only through the command line interface (CLI). However with Windows Server 2012 a graphical user interface has been added, allowing the configuration of the Fine-Grained Password Policy via the Active Directory Administrative Center. We will discuss both the methods.

Before you begin to implement the Fine-Grained Password Policy, you must make sure the domain functional level must be Windows Server 2008 or higher. Refer to relevant Windows 2012 articles on our website Firewall.cx.

Backup your Windows Server 2012 R2 host using Altaro’s Free Hyper-V & VMware Backup solution. Download Now!

Configuring Fine-Grained Password Policy using the Windows PowerShell

Use your administrative credentials to login to your Windows Server 2012 domain controller. Invoke the PowerShell console by Right clicking on the third icon from the left in the taskbar on the Windows Server desktop and then clicking on Run as Administrator.

windows-2012-install-setup-fine-grained-password-policy-01

Figure 1. Executing Windows PowerShell as Administrator

 

Clicking on Yes to the UAC confirmation will open up an Administrator: Windows PowerShell console.

Within the PowerShell console, type the following command in order to begin the creation of a new fine grained password policy and press Enter:

C:\Windows\system32> New-ADFineGrainedPasswordPolicy

windows-2012-install-setup-fine-grained-password-policy-02

Figure 2. Creating a new Fine Grained Password Policy via PowerShell

 

Type a name for the new policy at the Name: prompt and press Enter. In our example, we named our policy FGPP:

windows-2012-install-setup-fine-grained-password-policy-03

Figure 3. Naming our Fine Grained Password Policy

 

Type a precedence index number at the Precedence: prompt and press Enter. Note that policies that have a lower precedence number have a higher priority over those with higher precedence numbers. We’ve set our new policy with a precedence of 15: windows-2012-install-setup-fine-grained-password-policy-04

Figure 4. Setting the Precedence index number of our Fine Grained Password Policy

 

Now the policy is configured, but has all default values. If there is need to add specific parameters to the policy, you can do that by typing the following at the Windows PowerShell command prompt and press Enter:

C:\Windows\system32> New-ADFineGrainedPasswordPolicy -Name FGPP -DisplayName FGPP -Precedence 15 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -PasswordHistoryCount 20 -MinPasswordLength 10 -MinPasswordAge 3.00:30:00 -MaxPasswordAge 30.00:30:00 -LockoutThreshold 4 -LockoutObservationWindow 0.00:30:00 -LockoutDuration 0.00:45:00


In the above command, replace the name FGPP with the name of your password policy, which in our example is FGPP.

The parameters used in the above are mandatory and pretty much self-explanatory:

Attributes for Password Settings above include:

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Passwords must meet complexity requirements
  • Store passwords using reversible encryption

Attributes involving account lockout settings include:

  • Account lockout duration
  • Account lockout threshold
  • Reset account lockout after


To apply the policy to a user/group or users/groups, use the following command at the PowerShell command prompt:

C:\Windows\system32> Add-ADFineGrainedPasswordPolicySubject -Identity FGPP -Subjects “Chris_Partsenidis”

For confirming whether the policy has indeed been applied to the groups/users correctly, type the following command at the PowerShell command prompt and press Enter:

Windows 2012 Server

This section contains technical articles, content and resources for IT Professionals working with Microsoft's Windows 2012 & Windows 2012 R2 server. Our content covers basic and advanced configuration of Windows 2012 components, services, technologies and much more, and has been written in an easy-to-follow manner.

We hope you enjoy the provided articles and welcome your feedback and suggestions.

Articles To Read Next:

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup