Why and How to use Fine-Grained Password Policies

Posted: January 6, 2013 in Active Directory

With Windows Server 2008, Microsoft introduced a new concept of applying password policies called “Fine-Grained Password Policy”

As you may know, password policies control on a domain controller will work only with the default domain policy, which made a big restriction on how administrators and security engineers may need to customize the password policies for different purposes on different scopes.

Practically, you cannot assign multiple password policies on different OU within a domain/forest, and still you cannot, the default password policy will always override any other password policy you may try to create in different GPO and different level of linking, no matter what you do, force the policy, block inheritance, even remove the password configuration in the default domain policy or set it to “not configured”, you just cannot. Personally i tried to work around this by writing some complex scripts using VBS before in Windows Server 2003 time, we consulted with experts in AD core, there were simply no solution nor work around, which kept us only praying and hoping for some actions from Microsoft in any SP release or a future release of Windows Server.

Finally, with Windows Server 2008 and later versions introduced, Microsoft offered a way to overcome the limitations i mentioned here previously, by introducing Fine-Grained Password Policies. But let me tell you something, it is not straightforward to do so, you cannot simply create a new GPO and link it to an OU, this still don’t work, you need some special skills to do so, as you will need to deal with AD attributes directly either by PowerShell or using ADSIEDIT. Now i will show you how you can create a fine-grained password policy and what important things you need to be aware of.

Things you need to know before you start:

  • You need to be at least member of Domain Admins group on the specific domain you are going to create the  Fine-Grained Password Policy on. This is the default. Still you can delegate this permission to non-Domain Admins, it is just not recommended to do so.
  • The domain functional level must be Windows 2008 and above.
  • Any Fine-Grained Password Policy will override the default domain policy on the scope that the Fine-Grained Password Policy is applied to. So be careful where and why do you need to apply it.
  • You cannot apply  Fine-Grained Password Policy on OUs. You have to assign it to specific domain user(s) account(s) and/or global security group(s).
  • You will need to view the Password Settings Container under dsa.msc, using Advanced View options to check any custom Fine-Grained Password Policy created and for future modifications.
  • This will work with users logon to any Windows client OS, in XP a warning message may appear to users while trying to change password if the Fine-Grained Password Policy applies to them, you can safely ignore this message.

Creating Fine-Grained Password Policy using two methods

1) Using ADSIEDIT:

  • Click Start, click Run, type adsiedit.msc, and then click OK
  • n the ADSI Edit snap-in, by default you should be connected to the Domain where you run adsiedit.msc, if you need to connect to a different domain, ADSI Edit, and then click Connect to. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK.
  • Double-click the domain.
  • Double-click DC=<domain_name>
  • Double-click CN=System
  • Click CN=Password Settings Container
  • Right-click CN=Password Settings Container, click New, and then click Object
  • In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next
  • In Value, type the name of the new PSO, and then click Next
  • Now you will need to follow the Wizard, the below table will have the details description of all attributes that required with value examples.
Attribute name Description Acceptable value range Example value
msDS-PasswordSettingsPrecedence Password Settings Precedence Greater than 0 5
msDS-PasswordReversibleEncryptionEnabled Password reversible encryption status for user accounts FALSE / TRUE (Recommended: FALSE) FALSE
msDS-PasswordHistoryLength Password History Length for user accounts 0 through 1024 3
msDS-PasswordComplexityEnabled Password complexity status for user accounts FALSE / TRUE (Recommended: TRUE) TRUE
msDS-MinimumPasswordLength Minimum Password Length for user accounts 0 through 255 6
msDS-MinimumPasswordAge Minimum Password Age for user accounts
  • (None)
  • 00:00:00:00 through msDS-MaximumPasswordAgevalue
2:00:00:00 (2 day)
msDS-MaximumPasswordAge Maximum Password Age for user accounts
  • (Never)To set the time to (never), set the value to -9223372036854775808.
  • msDS-MinimumPasswordAgevalue through (Never)
  • msDS-MaximumPasswordAgecannot be set to zero
60:00:00:00 (60 days)
msDS-LockoutThreshold Lockout threshold for lockout of user accounts 0 through 65535 10
msDS-LockoutObservationWindow Observation Window for lockout of user accounts
  • (None)
  • 00:00:00:01 through msDS-LockoutDuration value
0:00:15:00 (15 minutes)
msDS-LockoutDuration Lockout duration for locked out user accounts
  • (None)
  • (Never)
  • msDS-LockoutObservationWindowvalue through (Never)
0:00:10:00 (10 minutes)
msDS-PSOAppliesTo Links to objects that this password settings object applies to (forward link) 0 or more DNs of users or global security groups “CN=xyz,CN=Users,DC=DomainController,DC=yourdomain,DC=extension”
  • On the last screen of the wizard, click More Attributes
  • On the Select which property to view menu, click Optional
  • In the Select a property to view drop-down list, select msDS-PSOAppliesTo
  • In Edit Attribute, add the distinguished names of users or global security groups that the PSO is to be applied to, and then click Add
  • Repeat the previous step if you need to add more users/security groups
  • Click Finish

2) Using PowerShell:

The below is a sample of a PowerShell Code, you can simple copy and paste it, and change the values of the attributes as suites you:

New-ADFineGrainedPasswordPolicy -Name “FineGrainesPassPolicy” -Precedence 20 -ComplexityEnabled $true -Description “Special Domain Users Password Policy”-DisplayName “Domain Users PSO” -LockoutDuration “0.10:00:00” -LockoutObservationWindow “0.00:15:00” -LockoutThreshold 10 -MaxPasswordAge “60.00:00:00” -MinPasswordAge “1.00:00:00” -MinPasswordLength 7 -PasswordHistoryCount 5 -ReversibleEncryptionEnabled $false

After that, you need to go the Password Settings Container under system container. “As mentioned you will need to enable advanced view options to see this container”, then locate the just created PSO “Domain Users PSO” then you need to go the properties, and edit attributes tab, locate msDS-PSOAppliesTo attribute, then add the users/security groups you need this PSO to apply to.

The above two methods is your easy way to apply this nice concept, that you may want to apply it in case you have specific extra security requirements in mind, this will be your easiest and best way to do so.

Real-Life issue: Some Engineers reports that the Fine-Grained password policies will not apply to certain users are members of security group, the reason is your group is not a Global Security Group, so make sure that the groups are Security Groups, in addition they are only Global Security Groups. This will not work with Distribution Groups as they don’s have SID and won’t work with Universal nor Domain Local as their nesting hierarchy will involve complex groups memberships for groups in different forests.

I hope this is a good informative reading for you, in case you have any questions please leave them down below in the comments and will be glad assist 🙂

 

References: http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

Advertisements
Comments
  1. minh says:

    Hi,

    After created a FGPP and then applied that to a security groups, or users.
    1. So, when using a account logon his/her system, does it required change password immediately or not?
    2. A FGPP can applied to multiple security groups/Users or not?

    Thanks & best regards,

  2. Back says:

    Nice article .. we can see this article to create in 2008 or 2003 machine http://www.morgantechspace.com/2013/07/how-to-create-fine-grained-password.html

  3. Jason says:

    This information is great, but I’m running into an issue where it seems the default password policy is overriding the PSO. Is there a precedence that I’m missing? The PSO has lower requirements then the Default and I’m wondering if it doesn’t override regardless.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s