Summary
- Steps to create Fine Grained Password Policy
- Link the Fine Grained Password Policy to specific User or Group
Steps to create Fine Grained Password Policy
Follow the below steps to create fine grained password policy
- Launch ADSI Edit management console on your DC by the command ADSIEdit.msc through command line or Run window.
- Select the View toolbar menu option, then click on the Connect to option.
- In the Connection Settings dialog box click the OK button.
- Within ADSIEdit, expand the view of your domain down to the CN=System, so you can see the contents available under this node.
- Right-click on the CN=Password Settings Container.
- Select the option to Create | Object.
Fill the following values in subsequent windows and create new fine grained password policy
msDS-PasswordSettingsPrecedence : 10
msDS-PasswordReversibleEncryptionEnabled : False
msDS-PasswordHistoryLength : 24
msDS-PasswordComplexityEnabled : True
msDS-MinimumPasswordLength : 15
msDS-MinimumPasswordAge : -864000000000 (Minimum password age -one day)
msDS-MaximumPasswordAge : -36288000000000 (Maximum password age -42 days)
msDS-LockoutThreshold : 30
msDS-LockoutObservationWindow : -18000000000 (Elapsed time to reset password lockout counter to maximum – 30 minutes)
msDS-LockoutDuration : -18000000000 (If the number of bad passwords is met in observation window time, this defines how long the account should remain locked out – 30 minutes)
Link the Fine Grained Password Policy to specific User or Group
In order to link the fine grained password policy to the correct user or group, you’ll need to configure an object attribute msDS-PSOAppliesTo. In order to see all the attributes, ensure the Show Attributes is checked properly in ADUC or ADSIEdit like below image.
In the attribute list for your FGPP/PSO, scroll down to the msDS-PSOAppliesTo entry and double-click this attribute to see the Multi-valued Distinguished Name With Security Principal Editor dialog box. then add in your object to the editor. Here, I have added the group DevGroup.
To verify that the user in the DevGroup has the correct password policy, go to the user’s [DevUser] properties window in ADUC, then looking at the msDS-ResultantPSO attribute.
Now, you have successfully created fined grained password policy and linked it to an user.
Thanks,
Morgan
Software Developer