One strange thing that still seems to catch a lot of people out is that you can only have one password policy for your user per domain. This catches a lot of people out as they apply a password policy to an OU in their AD thinking that it will apply to all the users in that OUâ€¦. but it doesn’t. Microsoft did introduce Fine Grain Password Policies with Windows Server 2008 however this can only be set based on a security group membership and you still need to use the very un-user-friendly ADSI edit tool to make the changes to the policy.
Below I will go through how you change the default domain password policy and how you then apply a fine grain password policy to your environment. The Good news is setting the default password policy for a domain is really easy. The Bad news is that setting a fine grain password policy is really hard.
Update: If you want to set a password complexity setting that is not supported out of the box of windows then it is possible to install a third-party DLL on you domain controllers to achieve this. However there are many caveats to this and it is best you check out the full explanation at http://blogs.technet.com/b/askds/archive/2011/08/05/friday-mail-sack-beard-seconds-edition.aspx#password
How to set a Default Domain Password Policy
Step 1. Create a new Group Policy Object at the top level of the domain (e.g. â€œDomain Password Policyâ€).
Note: I have elected to create a new GPO at the top of the domain in this case as I always try to avoid modifying the â€œDefault Domain Policyâ€, see references below.
If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option.
Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.
Step 2. Edit the â€œDomain Password Policyâ€ GPO and go to Computer Configurations>Policies>Windows Settings>Security Settings>Account Policy>Password Policy and configured the password policies settings to the configuration you desire.
Step 3. Once you have configured the password policy settings make the â€œDomain Password Policyâ€ GPO the highest in the Linked GPO processing order.
TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they logon.
Doneâ€¦ told you it was easyâ€¦.
Note: Even if you apply the password policies to the â€œDomain Controllersâ€ OU it will not modify the domainâ€™s password policy. As far as I know this is the only exception to the rule as to how GPOâ€™s apply to objects. As you can see in the image below the â€œMinimum password lengthâ€ in the â€œDomain Password Policyâ€ GPO is still applied to the domain controller even though I have another GPO linking to the â€œDomain Controllersâ€ OU configuration the same setting.
For a better explanation as to why the GPO that is linked to the Domain and not the Domain Controllers is used for the password policy for all users check out Jorge’s Quest for Knowledge! – Why GPOs with Password and Account Lockout Policy Settings must be linked to the AD domain object to be affective on AD domain user accounts
How to set a Fine Grain Password Policy
Fine Grain Password Policies (FGPP) were introduced as a new feature of Windows Server 2008. Before this the only way to have different password polices for the users in your environment was to have separate domainsâ€¦ OUCH!
You domain must be Windows Server 2008 Native Mode, this means ALL of your domain controllers must be running Windows Server 2008 or later. You can check this by selection the â€œRaise domain functional levelâ€ on the top of the domain in Active Directory Users and Computers.
The domain functional level must be Windows Server 2008.
The other restriction with this option is that you can only apply FGPP to users object or users in global security groups (not computers).
Fine-grained password policies apply only to user objects â€¦ and global security groups.
TIP: If you setup an â€œAutomatic Shadow Groupâ€ you can apply these password policies to users automatically to any users located in an OU.
Creating a Password Setting Object (PSO)
Step 1. Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the new password policy.
Note: If you do not see this option go to â€œTurn Windows Features On or Offâ€ and make sure the â€œAD DS and AD LDS Toolsâ€ are installed. (You will need RSAT also installed if you are on Windows 7).\
Step 2. Double click on the â€œCN=DomainNameâ€ then double click on â€œCN=Systemâ€ and then double click on â€œCN=Password Settings Containerâ€.
Step 3. Right click on â€œCN=Password Settings Containerâ€ and then click on â€œNewâ€ then â€œObjectâ€¦â€
Step 4. Click on â€œNextâ€
Step 5. Type the name of the PSO in the â€œValueâ€ field and then click â€œNextâ€
Note: With the exception of the password length the following values are all the same as the default values in the â€œDefault Domain Policyâ€.
Step 6. Type in a number that will be the Precedence for this Password Policy then click â€œNextâ€.
Note: This is used if a users has multiple Password Settings Object (PSO) applied to them.
Step 7. Type â€œFALSEâ€ in the value field and click â€œNextâ€
Note: You should almost never use â€œTRUEâ€ for this setting.
Step 8. Type â€œ24â€ in the â€œValueâ€ field and click â€œNextâ€
Step 9. Type â€œTRUEâ€ in the â€œValueâ€ field and click â€œNextâ€
Step 10. Type â€œ5â€ in the â€œValueâ€ field and click â€œNextâ€
Step 11. Type â€œ1:00:00:00â€ in the â€œValueâ€ field and click â€œNextâ€
Step 12. Type â€œ42:00:00:00â€ in the â€œValueâ€ field and click â€œNextâ€
Step 13. Type â€œ10â€ in the â€œValueâ€ field and click â€œNextâ€
Step 14. Type â€œ0:00:30:00â€ field and click â€œNextâ€
Step 15. Type â€œ0:00:33:00â€ in the â€œValueâ€ field and click â€œNextâ€
Step 16. Click â€œFinishâ€
You have now created the Password Settings Object (PSO) and you can close the ADSIEdit tool.
Now to apply the PSO to a users or groupâ€¦
Step 17. Open Active Directory Users and Computers and navigate to â€œSystem > Password Settings Containerâ€
Note: Advanced Mode needs to be enabled.
Step 18. Double click on the PSO you created then click on the â€œAttribute Editorâ€ tab and then select the â€œmsDS-PSOAppliedToâ€ attribute and click â€œEditâ€
Step 19. Click â€œAdd Windows Accountsâ€¦.â€ button.
Step 20. Select the user or group you want to apply this PSO and click â€œOKâ€
Step 21. Click â€œOKâ€
Step 22. Click â€œOKâ€
And your are doneâ€¦ (told you it was hard).
Other Useful Links