How to Configure Fine-Grained Password Policies on Windows Server 2016

How to Configure Fine-Grained Password Policies on Windows Server 2016

 

In this blog post, I’ll show you How to Configure Fine-Grained Password Policies on Windows Server 2016 Active Directory Infrastructure.

Fine-Grind Password Policies allow us to create a very strict Password and Lockout Policies and apply them to specific users and groups. and allow us to all kind of special account and users without modifying the global password policy.

How to create an Active Directory user using PowerShell.

How to reset AD user password using power shell.

It also allows us to secure special account and users without modifying the global password policy.

Before the release of Fine-Grind Password Policies, we couldn’t apply different policies to service account or administrative accounts without changing the global policy and the only way to avoid it was with setting a new Group Policy and apply it to an OU where all users located and block any other policy from applying to the OU.

That was a very difficult process \ workaround that was hard to manage.

With Fine-Grind Password Policies, we create the Policy In the Active Directory Administrative Center and add users to it without touching the default password policy.

Fine-Grind Password Policies have a few limitations and I’ve listed them below:

  • They Can only be applied to users and global security groups
  • You can’t apply them to OUs or Domains, Sites, etc
  • The domain functional level needs to be on Windows Server 2008 and above
  • You can only use the Active Directory Administrative Center and PowerShell to manage it

To get started, Open ADAC, enable Tree View In the console and go to:

CN=Password Settings Container,CN=System,DC=test,DC=local

In the Password settings Container Right Click and click on new and fill the details of the new Policy.

As you can see, the options are really good and we could create a very secure policy.

How to Safely Delegate Control In Active Directory.
How to Enable Active Directory Recycle Bin.

You will also notice that we could also set up a lockout options and Integrate the password policy with a very good lockout policy In a single menu.

Once you set all the settings, Simply add the users to it and click apply.

You can create multiple policies and apply to users and groups (Dynamic and regular)

To view the polices using PowerShell run the cmdlet below:

Get-ADFineGrainedPasswordPolicy -Filter *

Search








Bitnami