Blog

Fine-Grained Password Policies

How to Configure Fine-Grained Password Policies in PowerShell

 

About a year ago, I held a seminar about Fine-Grained password policies. Several of my students asked me to document the important points in a blog. But they added a twist to the request. Instead of using GUI tools, they suggested it would be more helpful if I documented all of the steps in PowerShell. Never one to say no, I agreed. So to those students, this blog is for you!

First, a little background about Fine-Grained password policies.

What are Fine-Grained Password Policies?

Fine-Grained password policies were first introduced by Microsoft in Windows Server 2008 allow administrators to have multiple password policies in a domain. Prior to Server 2008, each domain could have only a single password and account lockout policy. With Fine-Grained password policies, each domain can now have multiple different password and account lockout policies. These policies can be assigned to an individual user, InetOrgPerson, or a global group (also referred to as a shadow group). (A shadow group is a global group that “shadows” the membership of an Organizational unit.)

How to Configure Fine-Grained Password Policies in PowerShell

  1. Verify your domain functional level
  2. Create a new global group for the members of the IT organizational unit
  3. Create a Password Setting Object
  4. Link your Fine-Grained password policy to my ITpwd group
  5. Add your user to the new ServerAdmins group
  6. Create a Password Setting object
  7. Assign the ServerAdminpwds to the ServerAdmins group
  8. Add the Fine-Grained password policy to my user object

First, I verify my domain functional level. To support Fine-Grained password policies, your domain functional level must be at least Windows Server 2008.

Since my domain functional level is Windows2012R2, I can proceed.

Next, I create a new global group for the members of the IT organizational unit. All of the members in my IT organizational unit have a department name of IT. This allows me to use PowerShell to search for the users that have been assigned to the IT group. I then add the users from my query to the new Global group named ITPwd.

$_ = current item from my search. My user account, Janet has a department identifier of IT.

Next, I create a Password Setting Object. I name it ITpwds.

This is a single line.

This password policy is creating a complex password that is a minimum of 9 characters in length. The password must be changed every 30 days.  (30:00:00:00 is entered as DD.HH:MM: SS. DD=day, HH=hour, MM=minutes, and SS=seconds.)  The user can choose to change the password after 1 day. The password history count of 12 indicates that the user must use a unique password for 12 changes.  The Reversible encryption is set to false.  This means that I do not want to store the password in a readable format. The lockout threshold is set to 3. This indicates that if the user logs on with a known user account but cannot guess their password after three tries, the account will be locked. The lockout observation window indicates that after 15 minutes, the counter will reset to 0; assuming that the user account is not locked out, the user can try again to logon. The lockout duration is set to 30 days. If the user account is locked out, it will remain locked out for 30 days. The precedence of 20 is used in case I decide to set up multiple password settings objects for different groups; since the user may belong to two or more groups that have a password policy associated with it. The lower the precedence number, the higher the precedence. In English, that means when a user belongs to two different groups, each with a Fine-Grained password policy assigned, the password settings object with the lowest number would be their effective password setting.

Next, I link my Fine-Grained password policy to my ITpwd group.

To view the new Fine-Grained password policy, I type the following:

To view my user’s password policy, I type:

To verify that Precedence works correctly, I create a second group and a new Password Settings Object for that group.

Next, I add my user to the new ServerAdmins group.

Next, I create a Password Setting object.   

Next, I assign the ServerAdminpwds to the ServerAdmins group.

Now I verify that Janet has the ServerAdminpwds PasswordSettings Object assigned.

To assign a Fine-Grained password policy to my user account, I type:

Next, I add the Fine-Grained password policy to my user object. 

To verify that the directly assigned password policy is assigned to my user, I run the following:

Assigning a Password Settings Object to a single user account can be useful. It allows a single user to have a unique password policy. This is useful when a user has security restrictions on just their account.

Let me know if you have any questions!

 

Janet Nichols has 36 years of experience working in IT, with expertise in Microsoft Windows Server 2016, Microsoft Windows Server 2012, Microsoft Windows Server 2008, Microsoft Networking Technologies, and Infrastructure services. 

Are you interested in learning more about Fine-Grained password policies or taking a class at Centriq Training? Fill out the form below for a training advisor to contact you with more information!

Start Date
End Date
Day/Eve
Break Weeks
Track
Jan 23, 2023
Jul 27, 2023
Eve
4/3/23-4/7/23
5/22/23-5/26/23
7/3/23-7/7/23
CSSP-V
Jan 30, 2023
May 5, 2023
Day
3/6/23-3/10/23
4/10/23-4/14/23
CSSP-V
Feb 6, 2023
May 19, 2023
Day
3/27/23-3/31/23
FSCP-V
Mar 20, 2023
Jun 23, 2023
Day
4/24/23-4/28/23
5/22/23-5/26/23
CSSP-V
Apr 10, 2023
Jul 28, 2023
Day
5/29/23-6/2/23
7/3/23-7/7/23
FSCP-V
Apr 24, 2023
Oct 19, 2023
Eve
7/3/23-7/7/23
8/21/23-8/25/23
CSSP-V
May 15, 2023
Dec 14, 2023
Eve
7/3/23-7/7/23
9/4/23-9/8/23
11/20/23-11/24/23
FSCP-V
Jun 5, 2023
Sep 8, 2023
Day
7/3/23-7/7/23
8/7/23-8/11/23
CSSP-V
Jun 19, 2023
Oct 6, 2023
Day
7/3/23-7/7/23
9/4/23-9/8/23
FSCP-V
Jul 24, 2023
Jan 25, 2024
Eve
10/2/23-10/6/23
11/20/23-11/24/23
12/25/23-12/29/23
CSSP-V
Aug 14, 2023
Nov 17, 2023
Day
9/5/23-9/8/23
10/16/23-10/2/23
CSSP-V
Aug 28, 2023
Dec 15, 2023
Day
9/4/23-9/8/23
11/20/23-11/24/23
FSCP-V
Oct 30, 2023
Feb 2, 2024
Day
11/20/23-11/24/23
12/25/23-12/29/23
CSSP-V
Oct 30, 2023
May 2, 2024
Eve
11/20/23-11/23/23
3/4/23-3/7/23
CSSP-V
Nov 6, 2023
Mar 1, 2024
Day
11/20/23-11/24/23
12/25/23-12/29/23
1/29/24-2/2/24
FSCP-V
If you don't see the Cohort Start date you are looking for don't forget to check out our campus calendars.
CSSP-I: Cloud & Security Specialist Program (In-Person Modality)
CSSP-V: Cloud & Security Specialist Program (Live Virtual Modality)
FSCP-I: Full Stack Coding Program (In-Person Modality)
FSCP-V: Full Stack Coding Program (Live Virtual Modality)
Please note that Centriq will be closed on the following observed holidays: New Year’s Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day, the day following Thanksgiving Day, and Christmas Day.
Start Date
End Date
Day/Eve
Break Weeks
Track
Nov 27, 2023
Mar 1, 2024
Day
12/25/23-12/29/23
1/29/24-2/2/24
CSSP-I
Feb 29, 2024
Mar 24, 2024
Day
3/25/24-3/29/24
4/22/24-4/26/24
CSSP-I
May 13, 2024
Aug 16, 2024
Day
5/27/24-5/31/24
7/1/24-7/5/24
CSSP-I
Aug 19, 2024
Nov 22, 2024
Day
9/2/24-9/6/24
10/21/24-10/25/24
CSSP-I
Dec 2, 2024
Mar 14, 2025
Day
12/23/24-12/27/24
12/30/24-1/3/25
2/10/25-2/14/25
CSSP-I
If you don't see the Cohort Start date you are looking for don't forget to check out our online instructor-led calendar.
CSSP-I: Cloud & Security Specialist Program (In-Person Modality)
CSSP-V: Cloud & Security Specialist Program (Live Virtual Modality)
FSCP-I: Full Stack Coding Program (In-Person Modality)
FSCP-V: Full Stack Coding Program (Live Virtual Modality)
Please note that Centriq will be closed on the following observed holidays: New Year’s Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day, the day following Thanksgiving Day, and Christmas Day.
Start Date
End Date
Day/Eve
Break Weeks
Track
Dec 4, 2023
Mar 8, 2024
Day
12/25/23-12/29/23
2/5/24-2/9/24
CSSP-I
Jan 15, 2024
Apr 19, 2024
Day
2/19/24-2/23/24
3/18/24-3/22/24
CSSP-I
Feb 26, 2024
May 24, 2024
Day
4/1/24-4/5/24
CSSP-I
Apr 08, 2024
Jul 12, 2024
Day
5/27/24-5/31/24
7/1/24-7/5/24
CSSP-I
May 20, 2024
Aug 23, 2024
Day
5/27/24-5/31/24
7/1/24-7/5/24
CSSP-I
Jun 24, 2024
Sep 27, 2024
Day
7/1/24-7/5/24
9/2/24-9/6/24
CSSP-I
Jul 29, 2024
Feb 6, 2025
Eve
9/2/24-9/5/24
11/25/24-11/28/24
12/23/24-12/27/24
12/30/24-1/3/25
CSSP-I
Aug 5, 2024
Nov 8, 2024
Day
9/2/24-9/6/24
10/7/24-10/11/24
CSSP-I
Sep 9, 2024
Dec 13, 2024
Day
10/14/24-10/18/24
11/25/24-11/29/24
CSSP-I
Oct 21, 2024
Jan 31, 2025
Day
11/25/24-11/29/24
12/23/24-12/27/24
12/30/24-1/3/25
CSSP-I
Dec 2, 2024
Mar 14, 2025
Day
12/23/24-12/27/24
12/30/24-1/3/25
2/10/25-2/14/25
CSSP-I
If you don't see the Cohort Start date you are looking for don't forget to check out our online instructor-led calendar.
CSSP-I: Cloud & Security Specialist Program (In-Person Modality)
CSSP-V: Cloud & Security Specialist Program (Live Virtual Modality)
FSCP-I: Full Stack Coding Program (In-Person Modality)
FSCP-V: Full Stack Coding Program (Live Virtual Modality)
Please note that Centriq will be closed on the following observed holidays: New Year’s Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day, the day following Thanksgiving Day, and Christmas Day.