How to create fine-grained password policy in AD

Fine-grained password policies are a simple and effective way of ensuring password settings meet business requirements.

Standard Active Directory configurations include a single password policy for all domain members, enforced domain-wide via Group Policy through the application of the Default Domain Policy. While Group Policy has thousands of options and is powerful and flexible, it cannot apply the fine-grained password policies that many of today's organizations need to stay secure.

To meet organizations' needs, Microsoft began offering fine-grained password policy options of Password Settings Container and Password Settings Objects with Windows Server 2008.

Getting started: Why fine-grained password policies?

Those of us who have evolved with Active Directory (AD) likely followed -- or still follow -- the mantra that one password policy rules the entire domain. Forget that assumption.

Today's environments have multiple different users and groups that may require different password policies. Maybe you want to separate user accounts and service accounts -- or standard users and privileged users. Or maybe you want to synchronize passwords with other authentication providers.

You can do this with fine-grained password policy options.

Fine-grained password options

Fine-grained password policies are deployed via Password Settings Objects (PSOs), which are stored in the Password Settings Container.

Screenshot of password settings in AD
Standard, account lockout and fine-grained passwords settings in AD

A PSO offers the same password settings from Default Domain Policy options, including standard settings -- for example, minimum password length, minimum password age and minimum password age -- and account lock settings, such as threshold, observation window and duration. It also includes the following fine-grained policy-specific settings:

  • Precedence. This sets the priority of the PSO when an account has two or more PSOs applied to it. Note, a lower number has a higher precedence. Consider a CFO who has "executive" and "finance" PSOs applied. If the executive PSO has a precedence value of 20 and the finance PSO a precedence level of 30, the executive PSO would overrule -- have precedence over -- the finance PSO. A PSO with a precedence value of 10 would precede over an executive policy. Carefully consider precedence values when defining PSOs.
  • Protect from accidental deletion. This setting, if checked, protects a PSO from being deleted from AD by mistake.

Note, any account without a PSO applied is subject to the password requirements defined in the Default Domain Policy.

Screenshot of fine-grained password policy settings in AD
Precedence and protect from accidental deletion settings in AD

In older networks, ensure the domain functional level is at least Server 2008. This shouldn't be a problem for most modern AD environments.

Designing a fine-grained password policy

Before a PSO can be implemented, it must be created. First, identify the types of accounts that need specialized password requirements. For the sake of example, here, we look at the following four identities:

  1. IT admin accounts.
  2. Service accounts.
  3. Executive accounts.
  4. Contractor accounts.

Next, document password settings for each type.

Screenshot of the precedence setting of a PSO
The precedence attribute enables admins to set which PSO wins if more than one PSO is applied to a user account.

IT admin accounts

  • Name: itadmins_fgpp
  • Description: Restrictive password settings for all IT administrator accounts.
  • Password history: 20 passwords
  • Maximum password age: 30 days
  • Minimum password age: 1 day
  • Minimum password length: 15 characters
  • Complexity enabled: Yes
  • Enforce account lockout policy: Checked
  • Number of failed logon attempts allowed: 3
  • Reset failed logon attempts count after (mins): 30 minutes
  • Account will be locked out: Until an administrator manually unlocks the account
  • Precedence: 20

Service accounts

  • Name: serviceaccounts_fgpp
  • Description: Restrictive password settings for all service accounts.
  • Password history: 10 passwords
  • Maximum password age: 365 days
  • Minimum password age: 1 day
  • Minimum password length: 30 characters
  • Complexity enabled: Yes
  • Enforce account lockout policy: Unchecked
  • Precedence: 30

Executive accounts

  • Name: executives_fgpp
  • Description: Password settings for members of the executive team.
  • Password history: 20 passwords
  • Maximum password age: 45 days
  • Minimum password age: 1 day
  • Minimum password length: 15 characters
  • Complexity enabled: Yes
  • Enforce account lockout policy: Checked
  • Number of failed logon attempts allowed: 3
  • Reset failed logon attempts count after (mins): 15 minutes
  • Account will be locked out: Until an administrator manually unlocks the account
  • Precedence: 40

Contractors

  • Name: contractors_fgpp
  • Description: Password settings for contractors, temporary employees and other guests.
  • Password history: 20 passwords
  • Maximum password age: 15 days
  • Minimum password age: 1 day
  • Minimum password length: 12 characters
  • Complexity enabled: Yes
  • Enforce account lockout policy: Checked
  • Number of failed logon attempts allowed: 3
  • Reset failed logon attempts count after (mins): 15 minutes
  • Account will be locked out: Until an administrator manually unlocks the account
  • Precedence: 50

Create a global group for each account type, and add the accounts to the appropriate groups. It's almost always more efficient to link settings to groups than individual users. These are sometimes called shadow groups and contain the same members as an organizational unit in AD.

Learn how to configure and implement PSOs and apply them to users and global groups.

Next Steps

Top 5 password hygiene tips and best practices

Use these 6 user authentication types to secure networks

How to secure passwords with PowerShell

Dig Deeper on Identity and access management