How to check fine-grained password policy
For the first 8 years of Active Directory, the only native way of having multiple password policies in your AD forest, was to have multiple domains. When Windows Server 2008 arrived on the scene, Microsoft introduced the concept of fine-grained password policies (FGPP), which allowed different policies within the same domain. Show Traditionally, the Default Domain Policy is where the standard password policy settings are configured. It is somewhat strangely done under the Computer Configuration area of that GPO, posing a problem when wanting to apply different password policies to different users. So, to move away from using Group Policy, the concept of a Password Settings Container in AD, and applying the FGPP’s by AD security group, rather than a GPO linked to an OU, was introduced. The original interface to configure FGPP was horrible. You had to use scary tools such as Adsiedit.msc, or helpful third party tools such as Specops Password Policy Basic. However, with the advent of Server 2012, a different configuration tool (written in PowerShell) was introduced – Active Directory Administrative Center (ADAC), which is what we are going to use to evaluate what FGPP can offer you. Accessing the Active Directory Administration Center to Adjust Fine-Grained Password PoliciesYou can find ADAC under the Windows Administrative Tools. If you have domain admin level privileges, you will see “system\Password Settings Container” underneath your domain name on the left. If you select that link you will see that you can choose New>Password Settings on the right. The following configuration interface will be launched. You have the same basic options in here, as you do in the Default Domain Policy:
You can find the Password Settings Container in Active Directory Users and Computers. If you have enabled Advanced Features, you will find it under the System container. If there is an object in here, you can view its properties and configured settings under the Attribute Editor tab. As you can see, it is not exactly “fine-grained” password policy. Complexity is either on or off. Interestingly, even Microsoft now regards the complexity settings as anti-security. Configuring Fine-Grained Password Policies Using PowershellIn Active Directory, you can manage fine-grained password policies (PSOs) using Powershell, though the Active Directory PowerShell module must be installed on our computer in order to do so. To create a new PSO, use New-ADFineGrainedPasswordPolicy cmdlet:
Next, assign a password policy to a user group using:
Change the PSO policy settings using:
List all FGPP policies in a domain:
Use the Get-ADUserResultantPasswordPolicy command to get the resulting password policy that applies to a specific user.
The name of the PSO that applies to the user is specified in the Name field. You can display the list of PSO policies assigned to an Active Directory group using the Get-ADGroup cmdlet:
To show the default password policy settings from the Default Domain Policy GPO, run the command:
While we still have to live with passwords there are more versatile, user friendly, and feature rich solutions available. Specops Password Policy allows you to follow the latest NIST and NCSC guidelines, and gives true fine-grained control over any password policy requirements that you may need to apply to your organization e.g. block weak passwords, enforce a passphrase, disallow incremental passwords or block consecutive identical characters. Mar 29, 2018 (Last updated on November 21, 2022) Tags: Active Directory, fine-grained password policy, password complexity, password policy Darren JamesDarren James is a Product Specialist and cyber security expert at Specops Software. He works as a lead IT engineer to help customers reduce costs, improve security and increase productivity. He holds Microsoft certifications within IT Service Management, O365, Enterprise Administrator, Server Administrator and Security. Darren has more than 25 years’ experience working in technical IT roles, centering around Active Directory, IT security, cloud, larger-scale migrations, integrations and identity and success management. What is fineActive Directory comes bundled with a default password policy that defines configurable rules for user account password creation. The rules include minimum and maximum password age, length, complexity, history, and encryption settings.
Where is fineUnlike the default password and account lockout domain policies, Fine-Grained Password Policies are set in password settings objects (PSO) in AD and not using Group Policy. There are two main ways you can configure PSOs: Using the Active Directory Administrative Center (ADAC) Using PowerShell.
|