Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

New features in Active Directory Domain Services in Windows Server 2012, Part 7: Fine-grained Password Policy GUI

Microsoft introduced the concept of Fine-grained Password Policies in Active Directory back in Windows Server 2008. From that day on, Active Directory admins could granularly roll out Password and Account Lockout Policies to groups and individual users. It was, however, such a painful experience, that many books suggested to use the free SpecOps Password Policy Basic tool to set fine-grained password policies, instead of using the built-in PowerShell commands.

   

What’s New

Now, in Windows Server 2012, the Active Directory team has finally created a Graphical User Interface (GUI) for Fine-grained Password Policies. Just as the Active Directory PowerShell History Viewer and the Active Directory Recycle Bin, it’s part of the Active Directory Administrative Center.

Note:
There are no changes under the hood for Fine-grained Password Policies. These policies are still only applicable to user objects and groups, not OUs.

Creating a Fine-grained Password Policy in the GUI

If you want to, you can create a Fine-grained Password Policy without a link within the Active Directory Administrative Center. For this purpose, open the Active Directory Administrative Console, using an account with sufficient permissions to create Fine-grained Password Policies.

In the left navigation pane, head to the System container under the domain root and from there drill deeper until you reach the Password Settings Container. This is where Fine-grained Password Policies live in Active Directory:

ADACFGPPContainer

Now, you can use the New and then Password Settings commands from the task pane on the right, or simply right-click within the middle pane and make the same selections from the context menu to create a Fine-grained Password Policy.

ADACCreateFGPPinContainer

In the Create Password Settings screen, you can give the Fine-grained Password Policy a meaningful name and a Precedence. (both fields are mandatory.)

Tip!
Precedence allows you to give Fine-grained Password Policies priority over other Fine-grained Password Policies. Fine-grained Password Policies applied to users directly always take precedence over Fine-grained Password Policies  applied to groups the user is a member of. If you work with multiple Fine-grained Password Policies, make sure the most important ones have value 1.

In the Directly Applies To section you can specify groups and/or users that will be subject to this Fine-grained Password Policy.

Assigning a Password Policy to a user in the GUI

To assign a Fine-grained Password Policy directly to a user, open the properties of a user account in the Active Directory Administrative Center. In the left pane, select Password Settings. Use the Assign… button to select a Fine-grained Password Policy:

Assign a Fine-grained Password Policy to a user in the Active Directory Administrative Center (click for larger screenshot)

Use the Check Names functionality to make picking easier and click OK when done.

Assigning a Password Policy to a group in the GUI

Assigning a Fine-grained Password Policy to a group is as straight-forward as assigning a Fine-grained Password Policy to a user. Open the properties of a group, scroll down to the Password Settings, or click it in the left pane and add/remove Password policies, as you seem fit:

Assign a Fine-grained Password Policy to a group in the Active Directory Administrative Center (click for larger screenshot)

View resultant password settings for a user

If, at any time, you’re unclear which Fine-grained Password Policy applies to a user, use the built-in capabilities of the Active Directory Administrative Center to view the resultant password settings. For this feature, simply right-click a user, and select View resultant password settings… from the context menu:

ADACResultantPasswordSettings

This command will open the applied Fine-grained Password Policy for the user object.

    

Concluding

With the availability of managing Fine-grained Password Policies from the Graphical User Interface (GUI) of the Active Directory Administrative Center (ADAC), it has become much easier to manage password and lockout settings for (groups of) users.

Related posts

Creating and managing fine-grained password policies

Further reading

Specops Password Policy Basic  
Creating fine grained password policies through GUI Windows server 2012 
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide 
Create a New Fine-Grained Password Policy using Windows PowerShell  
Windows Server 8 - Fine-Grained Password Policies 
Configuring Password Policies with Windows Server 2012  
Creating fine grained password policies through GUI Windows server 2012   
FGPP at Windows 8 server

Posted: Tuesday, September 04, 2012 10:15 AM by Sander Berkouwer

Comments

Upon Closer Inspection: Active Directory Password Quality Rules : PistolStar’s Authentication Blog said:

The latest incarnation of Active Directory and you can now set Fine-grained password policies using a GUI instead of PowerShell (link). Sweet! Now you can “point and click” your way through the following password quality rules:

  • Password history
  • Minimum password length
  • Microsoft’s proprietary complexity designation
# February 15, 2013 11:58 PM
Anonymous comments are disabled