In Active Directory, there can be only one Password Policy and Account-Lockout Policy per domain. Situations may arise in which setting different account policies for different types of users will be required. For example, employees in the finance department may need a stronger password policy and account lockout policy than employees in the production department. Similarly, the manager of a department may need a different account policy than his/her subordinates.
With the release of Windows Server 2008 Operating System, Active Directory gained one major feature that was missing in the previous versions. Fine-Grained Password Policy (FGPP), which gives AD the ability to set different password policy and account lockout policy for different set of users in a domain was introduced.
FGPP can be created using the Active Directory Services Interface Editor (ADSI Edit). The following steps describe how to create a FGPP:
FGPP can be applied only to user objects and global security groups. FGPP cannot be applied directly to an OU. However, by creating a shadow group, FGPP can be applied to all users and groups in an OU. A shadow group is a global security group that is logically mapped to an OU to enforce the FGPP. By adding all the users in the OU as members of the shadow group, the FGPP applied to the shadow group will be enforced on the users as well. Use the below command to create and map a shadow group to an OU:
dsquery user “OU=TestOU,DC=domain1,DC=com” | dsmod group “CN=shadowgroup,OU=TestOU,DC=domain1,DC=com” –chmbr
When new users are added to the OU, run the above command to automatically add the new users as members of the shadow group and apply FGPP.
By default, only members of the Domain Admins group can create and set FGPP to a user or group.
The FGPP applied directly to a user takes precedence over the FGPP applied to the group in which the user is a member. Also, if more than one FGPP is applied to a user, then the FGPP with the lowest msDS-PasswordSettingsPrecedence will be applied. If two FGPPs with the same msDS-PasswordSettingsPrecedence are applied to a user, then the FGPP with the smallest GUID (Globally Unique Identifier) will be applied to the user.
To determine which FGPP is applied to a user, an attribute called msDS-ResultantPSO can be used. It holds the distinguishedName of the FGPP applied to the user. The msDS-ResultantPSO can be viewed through the Attribute Editor tab of the user properties in ADUC.