Hello Friends, if we talk about Domain Password Policy then you all know it very well that it is common for all domain user accounts inside a domain. But if I want to get different password policy applied over a single or group of users within same domain then what you say. Is it possible ? Think over it……. The answer is, Yes…. It is quite possible to apply another password policy over a single or group of users while first one exists. This blog will explain how to configure fine grained password policy.
Microsoft introduced FGPP (Fine Grained Password Policy) which is applicable Windows 2008 server domain environment onwards. With the help of FGPP, IT Administrators can create another password policy for their separate set of domain user accounts within same domain. Means to say, more than one password policies can be applied in a single domain. Keep on to know more how to do that !!!
How To Configure Fine Grained Password Policy
- Open ADUC console and create a new Global Security Group with the appropriate name (like “FGPP_Domain_Users”).
- Add one user account to this group. Let’s say “test”.
- Open Active Directory Administrative Center now.
- Go to the path, ad(local)–> System–> “Password Settings Container”.
- Right Click on “Password Settings Container”–> New–> “Password Settings”.
- In the “Create Password Settings” User Interface, fill all the required fields with the appropriate values as shown below:
- Name – Fine Grained Password Policy
- Precedence – 1
- Enforce Minimum Password Length – 12 (As per your FGPP requirement)
- Enforce Password History – 3 (As per yours FGPP requirement)
- Password must meet complexity requirements – Yes
- Protect from accidental deletion – Yes
- Enforce minimum password age – 2 (As per your FGPP requirement)
- Enforce maximum password age – 45 (As per your FGPP requirement)
Under the Enforce Account Lockout Policy
- Number of failed logon attempts allowed – 3 (Depends your requirement)
- Reset failed logon attempts count after (mins) – 20 (Depends your requirement)
- Until an administrator manually unlocks the account – Yes.
Fine Grained Password Policy for special accounts.
Under the “Directly Applies To” section
Need to add the group which was created above i.e. “FGPP_Domain_Users”.
Now click OK to save and come out of the password settings.
- Now reset password for the account which was added to this group in step number 2.
- Because new FGPP policy is getting applied on this user account now so it won’t accept password as per old password policy and will give an error.
- Now try to give password as defined in newly created FGPP policy. It must accept.
- Now try to log into any server with this user account credentials.
- Here you will see that user has logged into server successfully using new password.
Thank you !!!
Now, if you like this blog then please do reply and for feedback or suggestions kindly mail us on firstname.lastname@example.org.
- Lock The Taskbar Through Group Policy
- Remove Power Button From Start Menu
- Show Run As Different User On Start
- Powershell Commands Related To Active Directory Users
- How To Force User To Change Password