Microsoft introduced Fine-Grained Password Policy for the first time in Windows Server 2008 and the policy has been part of every Windows Server since then. Fine-Grained Password Policy allows overcoming the limitations of only one password policy for a single domain. A brief example is that we apply different password and account lockout policies to different users in a domain with the help of Fine-Grained Password Policies.
This article discusses the Fine-Grained Password Policy as applicable to Windows Server 2012, and the different ways of configuring this policy. Windows Server 2012 allows two methods of configuring the Fine-Grained Password Policy:
1. Using the Windows PowerShell
2. Using the Active Directory Administrative Center or ADAC
In earlier Windows Server editions, it was possible to configure Fine-Grained Password Policy only through the command line interface (CLI). However with Windows Server 2012 a graphical user interface has been added, allowing the configuration of the Fine-Grained Password Policy via the Active Directory Administrative Center. We will discuss both the methods.
Before you begin to implement the Fine-Grained Password Policy, you must make sure the domain functional level must be Windows Server 2008 or higher. Refer to relevant Windows 2012 articles on our website Firewall.cx.
Configuring Fine-Grained Password Policy using the Windows PowerShell
Use your administrative credentials to login to your Windows Server 2012 domain controller. Invoke the PowerShell console by Right clicking on the third icon from the left in the taskbar on the Windows Server desktop and then clicking on Run as Administrator.
Figure 1. Executing Windows PowerShell as Administrator
Clicking on Yes to the UAC confirmation will open up an Administrator: Windows PowerShell console.
Within the PowerShell console, type the following command in order to begin the creation of a new fine grained password policy and press Enter:
Figure 2. Creating a new Fine Grained Password Policy via PowerShell
Type a name for the new policy at the Name: prompt and press Enter. In our example, we named our policy FGPP:
Figure 3. Naming our Fine Grained Password Policy
Type a precedence index number at the Precedence: prompt and press Enter. Note that policies that have a lower precedence number have a higher priority over those with higher precedence numbers. We’ve set our new policy with a precedence of 15:
Figure 4. Setting the Precedence index number of our Fine Grained Password Policy
Now the policy is configured, but has all default values. If there is need to add specific parameters to the policy, you can do that by typing the following at the Windows PowerShell command prompt and press Enter:
C:\Windows\system32> New-ADFineGrainedPasswordPolicy -Name FGPP -DisplayName FGPP -Precedence 15 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -PasswordHistoryCount 20 -MinPasswordLength 10 -MinPasswordAge 3.00:30:00 -MaxPasswordAge 30.00:30:00 -LockoutThreshold 4 -LockoutObservationWindow 0.00:30:00 -LockoutDuration 0.00:45:00
In the above command, replace the name FGPP with the name of your password policy, which in our example is FGPP.
The parameters used in the above are mandatory and pretty much self-explanatory:
Attributes for Password Settings above include:
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Passwords must meet complexity requirements
- Store passwords using reversible encryption
Attributes involving account lockout settings include:
- Account lockout duration
- Account lockout threshold
- Reset account lockout after
To apply the policy to a user/group or users/groups, use the following command at the PowerShell command prompt:
For confirming whether the policy has indeed been applied to the groups/users correctly, type the following command at the PowerShell command prompt and press Enter: