How to create a fine-grained password policy in AD

For the first eight years of Active Directory, the only native way of having multiple password policies in your AD forest, was to have multiple domains. When Windows Server 2008 arrived on the scene, Microsoft introduced the concept of fine-grained password policies (FGPP), which allowed different policies within the same domain.

Traditionally, the Default Domain Policy is where the standard password policy settings are configured. It is somewhat strangely done under the Computer Configuration area of that GPO, posing a problem when wanting to apply different password policies to different users. So, to move away from using Group Policy, the concept of a Password Settings Container in AD, and applying the FGPP’s by AD security group, rather than a GPO linked to an OU, was introduced.

The original interface to configure FGPP was horrible. You had to use scary tools such as Adsiedit.msc, or helpful third party tools such as Specops Password Policy Basic. However, with the advent of Server 2012, a different configuration tool (written in PowerShell) was introduced – Active Directory Administrative Center (ADAC), which is what we are going to use to evaluate what FGPP can offer you. We’ll walk through what you can (and can’t!) do with FGPP.

color meter from green to red
Enforce compliance requirements and block compromised passwords in Active Directory

Accessing the Active Directory Administration Center to Adjust Fine-Grained Password Policies

You can find ADAC under the Windows Administrative Tools. Please find here also a detailed guide on how to check password complexity requirements in active directory.

If you have domain admin level privileges, you will see “system\Password Settings Container” underneath your domain name on the left.

View of Active Direcotry Administrative Center with domain admin level privileges

If you select that link you will see that you can choose New>Password Settings on the right.

New>Password Settings setting - 1st step to create a fine-grained password policy

The following configuration interface will be launched.

configuration windows password settings for a more fine-grained password poilicy

You have the same basic options in here, as you do in the Default Domain Policy:

  • Name – Give it a decent name that reflects the group or individual that this policy will apply to
  • Precedence – If there is more than one FGPP that applies to a user e.g. they are in multiple AD groups, then the precedence defines which policy should apply
  • Minimum Password Length – All passwords should have a minimum number of characters
  • Password history – The number of passwords that should be remembered by AD for each user so that they cannot be reused
  • Complexity Required – 3 out of the 5 character types (upper, lower, digits, special and Unicode), must not contain the username
  • Store Passwords with reversible encryption
  • Protect from Accidental Deletion
  • Minimum Password Age – Stops users changing their password multiple times on the same day so that they go past what was set in the Password History field and can re-use the same password again
  • Maximum Password Age – When should the password expire
  • Lockout Policy – How many times can the user enter the incorrect password before the account is locked out, and how long should they be locked out for
  • Directly Applies to – Who should this policy apply to either a User or a Group, you cannot apply it to an OU
example of new password policy

You can find the Password Settings Container in Active Directory Users and Computers.

If you have enabled Advanced Features, you will find it under the System container.

password setting container

If there is an object in here, you can view its properties and configured settings under the Attribute Editor tab.

my new password policy properties

As you can see, it is not exactly “fine-grained” password policy. Complexity is either on or off. Interestingly, even Microsoft now regards the complexity settings as anti-security.

Configuring Fine-Grained Password Policies Using Powershell

In Active Directory, you can manage fine-grained password policies (PSOs) using Powershell, though the Active Directory PowerShell module must be installed on our computer in order to do so.

To create a new PSO, use New-ADFineGrainedPasswordPolicy cmdlet:

New-ADFineGrainedPasswordPolicy -Name “Admin PSO Policy” -Precedence 10 -ComplexityEnabled $true -Description “Domain password policy for admins”-DisplayName “Admin PSO Policy” -LockoutDuration “0.20:00:00” -LockoutObservationWindow “0.00:30:00” -LockoutThreshold 6 -MaxPasswordAge “12.00:00:00” -MinPasswordAge “1.00:00:00” -MinPasswordLength 8 -PasswordHistoryCount 12 -ReversibleEncryptionEnabled $false

Next, assign a password policy to a user group using:

Add-ADFineGrainedPasswordPolicySubject “Admin PSO Policy” -Subjects “Domain Admins”

assign password policy to a user group with Windows PowerShell
Image source: Windows OS Hub

Change the PSO policy settings using:

Set-ADFineGrainedPasswordPolicy "Admin PSO Policy" -PasswordHistoryCount:"12"

List all FGPP policies in a domain:

Get-ADFineGrainedPasswordPolicy -Filter *

Get-ADFineGrainedPasswordPolicy -Filter
Image Source: Windows OS Hub

Use the Get-ADUserResultantPasswordPolicy command to get the resulting password policy that applies to a specific user.

Get-ADUserResultantPasswordPolicy -Identity jsmith

Get-ADUserResultantPasswordPolicy -Identity jsmith
Image Source: Windows OS Hub

The name of the PSO that applies to the user is specified in the Name field.

You can display the list of PSO policies assigned to an Active Directory group using the Get-ADGroup cmdlet:

Get-ADGroup "Domain Admins" -properties * | Select-Object msDS-PSOApplied

To show the default password policy settings from the Default Domain Policy GPO, run the command:

Get-ADDefaultDomainPasswordPolicy

Limitations of Microsoft FGPP

We’ve walked through how to create a FGPP in your Active Directory, but it’s important to also understand the limitations. You’re unable to create custom dictionary lists, restricting your options to block certain words and phrases relevant to your organization. FGPP also lacks the ability to find and remove compromised passwords already in use, or to block passwords being used in current attacks taking place in real time.

You’ll have additional work to do to meet cybersecurity requirements, as there are no password policy templates for regulations such as NIST and NCSC. Nor are there any dedicated reporting options. Working with the out-of-the-box FGPP and Windows Client also add nothing for the end user, with no dynamic feedback for users at the password change stage and no option for you to customize notification messages.

Specops Password Policy: An improved option

While we still have to live with passwords there are more versatile, user friendly, and feature rich solutions available. Specops Password Policy comes with templates that allow you to follow the latest NIST and NCSC guidelines and gives true fine-grained control over any password policy requirements that you may need to apply to your organization. You can create an unlimited custom dictionary specific to your organization, on top of stopping people using weak passwords such as their names (full or partial), incremental passwords, or common character substitutions.

dictionary attacks and password leaked lists
See how Fined Grained Password Policies stack up on complexity rules, expiry and more here

The Breached Password Protection (BPP) feature also continuously checks and blocks over 4 billion unique compromised passwords – including daily additions of passwords being used in live attacks, as well as passwords obtained by malware. Specops Password Policy also gives your users a better, more helpful experience, with customizable email notifications. Real-time dynamic feedback then guides users to create memorable, secure passphrases during password changes. Length-based aging also encourages users to create better passwords, as longer more secure passphrases will not have to be changed as often as shorter, weaker ones.

Try Specops Password Policy for free today.

(Last updated on October 8, 2024)

darren james

Written by

Darren James

Darren James is a Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions. 

Back to Blog

Related Articles

  • How to make your password policy NCSC compliant

    The National Cyber Security Centre (NCSC), formerly known as the CESG, introduced new password recommendations to combat the swell of data breaches. What was once perceived as a best practice, such as password complexity, is now considered an anti-pattern. The guidance, also referenced in the Public Service Network’s (PSN) Code of Connection, includes 7 tips,…

    Read More
  • Impact of running Specops Password Policy on Active Directory

    We are often asked about the technical impact of using our solutions on Active Directory, and other services. In this blog post, we will look at the impact of Specops Password Policy and Breached Password Protection. See part 1 of this blog here where I look at the impact of Specops Password Auditor on Active…

    Read More
  • Best practice tips for your password policy

    Many organizations have yet to craft an effective password policy – the policy says one thing, but something very different is taking place on the network. Is your current approach to passwords adequate?

    Read More