Centriq Training Print Logo

Sunday

February 5 11:21 PM


Blog Banner Graphic

Blog

Fine-Grained Password Policies

Fine-Grained Password Policies

June 10, 2019 in Corporate IT Training, Microsoft / by Janet Nichols

How to Configure Fine-Grained Password Policies in PowerShell

 

About a year ago, I held a seminar about Fine-Grained password policies. Several of my students asked me to document the important points in a blog. But they added a twist to the request. Instead of using GUI tools, they suggested it would be more helpful if I documented all of the steps in PowerShell. Never one to say no, I agreed. So to those students, this blog is for you!

First, a little background about Fine-Grained password policies.

What are Fine-Grained Password Policies?

Fine-Grained password policies were first introduced by Microsoft in Windows Server 2008 allow administrators to have multiple password policies in a domain. Prior to Server 2008, each domain could have only a single password and account lockout policy. With Fine-Grained password policies, each domain can now have multiple different password and account lockout policies. These policies can be assigned to an individual user, InetOrgPerson, or a global group (also referred to as a shadow group). (A shadow group is a global group that “shadows” the membership of an Organizational unit.)

How to Configure Fine-Grained Password Policies in PowerShell

  1. Verify your domain functional level
  2. Create a new global group for the members of the IT organizational unit
  3. Create a Password Setting Object
  4. Link your Fine-Grained password policy to my ITpwd group
  5. Add your user to the new ServerAdmins group
  6. Create a Password Setting object
  7. Assign the ServerAdminpwds to the ServerAdmins group
  8. Add the Fine-Grained password policy to my user object

First, I verify my domain functional level. To support Fine-Grained password policies, your domain functional level must be at least Windows Server 2008.

Since my domain functional level is Windows2012R2, I can proceed.

Next, I create a new global group for the members of the IT organizational unit. All of the members in my IT organizational unit have a department name of IT. This allows me to use PowerShell to search for the users that have been assigned to the IT group. I then add the users from my query to the new Global group named ITPwd.

$_ = current item from my search. My user account, Janet has a department identifier of IT.

Next, I create a Password Setting Object. I name it ITpwds.

This is a single line.

This password policy is creating a complex password that is a minimum of 9 characters in length. The password must be changed every 30 days.  (30:00:00:00 is entered as DD.HH:MM: SS. DD=day, HH=hour, MM=minutes, and SS=seconds.)  The user can choose to change the password after 1 day. The password history count of 12 indicates that the user must use a unique password for 12 changes.  The Reversible encryption is set to false.  This means that I do not want to store the password in a readable format. The lockout threshold is set to 3. This indicates that if the user logs on with a known user account but cannot guess their password after three tries, the account will be locked. The lockout observation window indicates that after 15 minutes, the counter will reset to 0; assuming that the user account is not locked out, the user can try again to logon. The lockout duration is set to 30 days. If the user account is locked out, it will remain locked out for 30 days. The precedence of 20 is used in case I decide to set up multiple password settings objects for different groups; since the user may belong to two or more groups that have a password policy associated with it. The lower the precedence number, the higher the precedence. In English, that means when a user belongs to two different groups, each with a Fine-Grained password policy assigned, the password settings object with the lowest number would be their effective password setting.

Next, I link my Fine-Grained password policy to my ITpwd group.

To view the new Fine-Grained password policy, I type the following:

To view my user’s password policy, I type:

To verify that Precedence works correctly, I create a second group and a new Password Settings Object for that group.

Next, I add my user to the new ServerAdmins group.

Next, I create a Password Setting object.   

Next, I assign the ServerAdminpwds to the ServerAdmins group.

Now I verify that Janet has the ServerAdminpwds PasswordSettings Object assigned.

To assign a Fine-Grained password policy to my user account, I type:

Next, I add the Fine-Grained password policy to my user object. 

To verify that the directly assigned password policy is assigned to my user, I run the following:

Assigning a Password Settings Object to a single user account can be useful. It allows a single user to have a unique password policy. This is useful when a user has security restrictions on just their account.

Let me know if you have any questions!

 

Janet Nichols has 36 years of experience working in IT, with expertise in Microsoft Windows Server 2016, Microsoft Windows Server 2012, Microsoft Windows Server 2008, Microsoft Networking Technologies, and Infrastructure services. 

Are you interested in learning more about Fine-Grained password policies or taking a class at Centriq Training? Fill out the form below for a training advisor to contact you with more information!

  • Your use of this Site is subject at all times to our Terms of Use and Privacy Policy. If you do not agree to the terms set out in our Terms of Use and Privacy Policy please do not use the Site.

  • This field is for validation purposes and should be left unchanged.
Start Date
End Date
Day/Eve
Break Weeks
Track
Jan 23, 2023
Jul 27, 2023
Eve
4/3/23-4/7/23
5/22/23-5/26/23
7/3/23-7/7/23
CSSP-V
Jan 30, 2023
May 5, 2023
Day
3/6/23-3/10/23
4/10/23-4/14/23
CSSP-V
Feb 6, 2023
May 19, 2023
Day
3/27/23-3/31/23
FSCP-V
Mar 20, 2023
Jun 23, 2023
Day
4/24/23-4/28/23
5/22/23-5/26/23
CSSP-V
Apr 10, 2023
Jul 28, 2023
Day
5/29/23-6/2/23
7/3/23-7/7/23
FSCP-V
Apr 24, 2023
Oct 19, 2023
Eve
7/3/23-7/7/23
8/21/23-8/25/23
CSSP-V
May 8, 2023
Aug 11, 2023
Day
5/29/23-6/2/23
7/3/23-7/7/23
CSSP-V
May 15, 2023
Dec 14, 2023
Eve
7/3/23-7/7/23
9/4/23-9/8/23
11/20/23-11/24/23
FSCP-V
Jun 19, 2023
Oct 6, 2023
Day
7/3/23-7/7/23
9/4/23-9/8/23
FSCP-V
Jun 26, 2023
Sep 29, 2023
Day
7/3/23-7/7/23
8/7/23-8/11/23
CSSP-V
Jul 24, 2023
Jan 25, 2024
Eve
10/2/23-10/6/23
11/20/23-11/24/23
12/25/23-12/29/23
CSSP-V
If you don't see the Cohort Start date you are looking for don't forget to check out our campus calendars.
CSSP-I: Cloud & Security Specialist Program (In-Person Modality)
CSSP-V: Cloud & Security Specialist Program (Live Virtual Modality)
FSCP-I: Full Stack Coding Program (In-Person Modality)
FSCP-V: Full Stack Coding Program (Live Virtual Modality)
Please note that Centriq will be closed on the following observed holidays: New Year’s Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day, the day following Thanksgiving Day, and Christmas Day.
Start Date
End Date
Day/Eve
Break Weeks
Track
Feb 13, 2023
Mar 19, 2023
Day
3/20/23-3/24/23
4/17/23-4/21/23
CSSP-I
Apr 17, 2023
Jul 21, 2023
Day
5/22/23-5/26/23
7/3/23-7/7/23
CSSP-I
Jun 5, 2023
Sep 8, 2023
Day
7/3/23-7/7/23
8/7/23-8/11/23
CSSP-I
Jul 31, 2023
Nov 3, 2023
Day
9/4/23-9/8/23
10/2/23-10/6/23
CSSP-I
Sep 25, 2023
Dec 22, 2023
Day
11/20/23-11/24/23
CSSP-I
Nov 27, 2023
Mar 1, 2024
Day
12/25/23-12/29/23
1/29/24-2/2/24
CSSP-I
If you don't see the Cohort Start date you are looking for don't forget to check out our online instructor-led calendar.
CSSP-I: Cloud & Security Specialist Program (In-Person Modality)
CSSP-V: Cloud & Security Specialist Program (Live Virtual Modality)
FSCP-I: Full Stack Coding Program (In-Person Modality)
FSCP-V: Full Stack Coding Program (Live Virtual Modality)
Please note that Centriq will be closed on the following observed holidays: New Year’s Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day, the day following Thanksgiving Day, and Christmas Day.
Start Date
End Date
Day/Eve
Break Weeks
Track
Jan 16, 2023
Apr 21, 2023
Day
2/2023-2/24/23
3/20/23-3/24/23
CSSP-I
Jan 23, 2023
Jul 27, 2023
Eve
4/3/23-4/7/23
5/22/23-5/26/23
7/3/23-7/7/23
CSSP-I
Feb 27, 2023
Jun 2, 2023
Day
4/3/23-4/7/23
5/1/23-5/5/23
CSSP-I
Apr 10, 2023
Jul 14, 2023
Day
5/15/23-5/19/23
7/3/23-7/7/23
CSSP-I
May 22, 2023
Aug 18, 2023
Day
7/3/23-7/7/23
CSSP-I
Jun 26, 2023
Sep 29, 2023
Day
7/3/23-7/7/23
8/7/23-8/11/23
CSSP-I
Aug 7, 2023
Nov 10, 2023
Day
9/4/23-9/8/23
10/9/23-10/13/23
CSSP-I
Sep 11, 2023
Dec 15, 2023
Day
10/16/23-10/20/23
11/20/23-11/24/23
CSSP-I
Oct 23, 2023
Jan 26, 2024
Day
11/20/23-11/24/23
12/25/23-12/29/23
CSSP-I
Dec 4, 2023
Mar 8, 2024
Day
12/25/23-12/29/23
2/5/24-2/9/24
CSSP-I
If you don't see the Cohort Start date you are looking for don't forget to check out our online instructor-led calendar.
CSSP-I: Cloud & Security Specialist Program (In-Person Modality)
CSSP-V: Cloud & Security Specialist Program (Live Virtual Modality)
FSCP-I: Full Stack Coding Program (In-Person Modality)
FSCP-V: Full Stack Coding Program (Live Virtual Modality)
Please note that Centriq will be closed on the following observed holidays: New Year’s Day, Memorial Day, Independence Day, Labor Day, Thanksgiving Day, the day following Thanksgiving Day, and Christmas Day.