In Active Directory, the Default Domain Policy enforces a single password policy across all users. This is not suitable for enterprise networks where administrators require strict authentication policies to maintain domain security and standard users need quick simple access to their machines. Fine-Grained Password Policies solve this problem by allowing administrators to create multiple password policies within a single domain. In this post I will go through the process of creating one using both the Administrative Center and PowerShell. I have two OUs in my domain, _ADMINS and _USERS I will create a FGPP for each that reflects their security needs
I begin in Server Manager and go to Tools > Users and Computers. FGPPs can not be applied directly to a OU so I will first have to create Global Security Groups for my Standard Users and my Admins.
I go to the OU containing my Standard Users Right click > select New > Select Group and in the New Object - Group window I give the group a name, set the scope to Global and the group type to Security as required for FGPPs.
I then use ctrl+a to select all the users and ctrl+left-click to deselect the Group, then I right-click, select add to a group and set object type to Groups, and type in Standard Users (the name of the Group I created) then Check names and OK I get a pop-up confirming that the policy has been set.
Now I can go to Active Director Administrative Center (dsac.exe) and actually create the FGPP. I go to the left hand "Overview" menu and expand my domain > expand system > and select Password Settings Container
Then in the right hand Tasks Pane I select New > Password Settings
Under Directly Applies To I select Add and select Groups for Object Types, _USERS for Location & then type in Standard Users & check names
Now I will add the Password Settings. I give it a name and then Set Precedence to 20 this will allow me to set a higher number for _ADMINS so the admin policy always overrides the standard user's policy. I set Minimum length to 15. Microsoft recommends a length of 8, they say this to encourage unique passwords, however in their newest guidelines NIST recommends a minimum of 15 characters this aligns with their movement away from complexity and toward length as the most secure practice. Microsoft recommends the maximum value of 24 for password history to mitigate password reuse. I set minimum password age to 1 to protect against password cycling to bypass history settings. For maximum password age Microsoft recommends between 30-90 days so I will set a middle value of 60 day maximum password age for standard users. Microsoft recommends a baseline of 10 for failed logon attempts I will use this maximum recommendation for standard users and lower it for admins. I select 20 minutes before logon attempts reset. I figure that this will allow time for a response if necessary while also being short enough to wait out if it is just a forgetful user.
For the admin password policy, since there is only one admin, rather than creating a new Group I will simply apply it to the user.
I right click on PowerShell to run it as an Administrator and enter the following command to create a new FGPP.
For Admin I set the precedence to 10 to override the standard user policy, I lowered the lockout threshold, increased the lockout duration and enabled complexity requirements all to reflect the increased security risk of malicious actors gaining access to an admin account.
I then use the following 2 commands to apply the FGPP to a user and verify that the policy was correctly applied.
