Password Polices in Active Directory
We can have only one password policy and it has to be linked to the domain in
Active Directory. To implement one or more specific password policy to certain
users or group in Active Directory we have to set Fine grained Password Policy or
third party Password solution software like nFront Password Filter.
Methods of Creating Fine Grained Password Policy.
1) From Server Manager click on Tools and Navigate to Active Directory Administrative Center
2)
Create a Policy.
Follow these steps to create a new policy.
i) In Active Directory administrative Center click on the domain and navigate to system
Directory and click on it.
ii) Click on the system directory and navigate to Password settings container and click
it.
iii)
To create new password policy click on the new button on Right side Menu.
iv) Following screen may appear.
Now we can configure the password policy as per our requirement apply it to the
specific User or Groups.
Testing Fine Grained Password Policy.
Now we have Two Password Policy in our active directory.
• Password Policy defined in default domain policy.(Local security policy of doman
Controller)
• Password Policy created by fine grained Password Policy.
The Snapshot below is the password policy settings of Defaul domain Policy and Local
Security Policy of Domain Controller. From below snapshot we can confirm that the
password Policy settings in Default Domain Policy is not defined. However from Local
Security Policy we can confirm that Password Policy settings has been defined which is the
Default Domainpassword policy settings in Active Directory.
• Resetting the password for the user who falls under the scope of both
Default Domain Policy & Fine Grained Password Policy.
The snapshot below is administrator trying to reset the password of one domain user who
is the member of PSO group fullfilling the password prerequisite set by default domain
Policy.
Eventhough meeting the prerequisite set in the Password Policy in Default Domain Policy, Password
Reset failed for that user since that user belongs to PSO group. For PSO group we have applied
separate password policy using fine grained password policy.
The snapshot below depicts the administrator trying to reset the password for the user by fulfilling
the password prerequisite set in the Fine Grained Password Policy.
Password Reset for that user succeded after meeting the prerequisite set in password policy from
Fine Grained Password Policy, since that user fall under the scope of Fine Grained Password Policy.
• Resetting the password for the users who fall under the scope of default
Domain Policy.
The snapshot below shows the adminstrator trying to reset the password for the users
by fulfilling the prerequisite of Default Domain Policy only, who fall under the scope of
Default Domain Policy.
Since, this user falls under the scope of Default Domain Policy only, No Fine
Grained password policy is applied for this user.
Conclusion:• For user who falls under the scope of Default Domain Policy & Fine Grained
Password Policy, Password Policy set in the Fine Grained will be applied to
the user.
• For User who falls under the scope of multiple Fine Grained Password
Policy, Policy having the lower Precedence value will be applied.
• For user who falls under the scope of only Default Domain Policy, Password
policy set in Default Domain Policy will be applied.
• For Password policy, the password settings in Default Domain Policy and
Password settings in local security policy of Domain Controller are
integrated.(Whatever the changes we made on the password policy on
Default Domain Policy it will be reflected on the Password Policy of Local
Secuirty Policy and vice versa).