How to create Fine Grained Password Policy

In this article I am going to explain about how to create Fine Grained Password Policy or Custom Password Policy through ADSI Edit management console and how to link Fine Grained Password Policy to specific User or Group

Summary

  1. Steps to create Fine Grained Password Policy
  2. Link the Fine Grained Password Policy to specific User or Group

Steps to create Fine Grained Password Policy

   Follow the below steps to create fine grained password policy

  1. Launch ADSI Edit management console on your DC by the command ADSIEdit.msc through command line or Run window.   
  2. Select the View toolbar menu option, then click on the Connect to option.
  3. In the Connection Settings dialog box click the OK button.
  4. Within ADSIEdit, expand the view of your domain down to the CN=System, so you can see the contents available under this node.
  5. Right-click on the CN=Password Settings Container.
  6. Select the option to Create | Object.
Refer the below screenshot:
create fine grained password policy

Fill the following values in subsequent windows and create new fine grained password policy

CN :  DevPasswordPolicy

msDS-PasswordSettingsPrecedence10

msDS-PasswordReversibleEncryptionEnabledFalse

msDS-PasswordHistoryLength24

msDS-PasswordComplexityEnabledTrue

msDS-MinimumPasswordLength15

msDS-MinimumPasswordAge-864000000000 (Minimum password age -one day)

msDS-MaximumPasswordAge-36288000000000 (Maximum password age -42 days)

msDS-LockoutThreshold : 30



msDS-LockoutObservationWindow :  -18000000000 (Elapsed time to reset password lockout counter to maximum – 30 minutes)

msDS-LockoutDuration-18000000000 (If the number of bad passwords is met in observation window time, this defines how long the account should remain locked out – 30 minutes)

Link the Fine Grained Password Policy to specific User or Group

In order to link the fine grained password policy to the correct user or group, you’ll need to configure an object attribute msDS-PSOAppliesTo. In order to see all the attributes, ensure the Show Attributes is checked  properly in ADUC or ADSIEdit like below image.

How to create Custom Password Policy

In the attribute list for your FGPP/PSO, scroll down to the msDS-PSOAppliesTo entry and double-click this attribute to see the Multi-valued Distinguished Name With Security Principal Editor dialog box. then add in your object to the editor. Here, I have added the group DevGroup.

How to create Fine Grained Password Policy

To verify that the user in the DevGroup has the correct password policy, go to the user’s [DevUser] properties window in ADUC, then looking at the msDS-ResultantPSO attribute.

How to create Fine Grained Password Policy

Now, you have successfully created fined grained password policy and linked it to an user.

Thanks,
Morgan
Software Developer

Advertisement

Leave a Comment