Using Fine Grained Password Policy to exclude a single Active Directory Account from being Locked Out

Using Fine Grained Password Policy to exclude a single Active Directory Account from being Locked Out

How to Exclude a Single User from Account Lockout Policy in Active Directory

The Fine-Grained Password Policy is a feature that is available on Windows Server 2008 and later versions, which is used to overcome the limitations faced while using the previous versions of the Windows Server. In the earlier versions of Windows Server, domain policies were applied to all users within the domain. This is also applicable for Account Lockout Policies. To apply a different set of policies for a single user or group, a separate domain had to be created with these users and groups and a separate policy had to be applied. Hence it becomes tedious to exclude a single user from being locked out using the account lockout policy.

With Fine-Grained Password Policies (FGPP), administrators can apply different sets of policies to different users without much hassle. These policies can be set in Password Setting Objects (PSO) and not using Group Policy in Active Directory. FGPP includes both password policies and account lockout policies as it is a derivative of account policies. This is implemented by modifying the Active Directory database. Another important feature is that one Password Setting Object (PSO) can be linked to multiple users or groups by means of the msDS-PSOAppliesTo attribute. Hence a Fine-Grained Password Policy can be created to prevent a single Active Directory user from being locked out. This can be done using the Active Directory Administrative Center (ADAC).

Configuring the Fine-Grained Password Policy to Exclude a Single User from Account Lockout Policy

To create a Password Setting Object (PSO) using the Fine-Grained Password Policy, log in using a domain admin account into the domain controller in Windows Server 2012.
  1. Open the Active Directory Administrative Center (ADAC) and click on Tree view.
  2. Navigate to System > Password Settings Container.
  3. Right-click on the Password Settings Container and select New > Password Settings.
  4. In the Create Password Settings window, enter the Name and Precedence in the corresponding fields.
  5. Define all the other password settings so as to prevent the desired user account from getting locked out.
  6. After the password policies have been defined, in the Directly Applies to section, choose the single user to which the PSO needs to be applied. You can also choose a global group or more than one user.
  7. Click OK after the policies have been defined and assigned to the desired users or groups.  
Click here to watch a video demo of how to go about creating a password Setting Object (PSO) 

PowerShell cmdlet for Configuring Fine-Grained Password Policy

A Fine-Grained Password Policy can be set to exclude a single Active Directory from being locked out, using the PowerShell cmdlet given as follows.
  1. New-ADFineGrainedPasswordPolicy -Name "DomainUsersPSO" -Precedence 500 -ComplexityEnabled $true -Description "The Domain Users Password Policy" -DisplayName "Domain Users PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10
Thus a single user account can be excluded from being locked out by the account lockout policy by configuring a Fine-Grained Password Policy. This policy can also be applied for multiple users and groups in Active Directory. 

    • Related Articles

    • Fine-Grained Password Policies

      In Active Directory, there can be only one Password Policy and Account-Lockout Policy per domain. Situations may arise in which setting different account policies for different types of users will be required. For example, employees in the finance ...

    • How to Create Fine Gained Password Policies

      How to Create a Fine-Grained Password Policy in Active Directory Before the launch of Windows Server 2008, administrators could apply only one password and account lockout policy to the entire user base in the organization. If the administrators ...

    • How to Change Account Lockout Policy using Group Policy Objects in Active Directory

      Changing the Active Directory Account Lockout Policy  Introduction to Active Directory Account Lockout Policy Account lockout policies are used by IT administrators to lock out an Active Directory account after multiple unsuccessful attempts. It is ...

    • Active Directory Password Policy Best Practices

      Active Directory Password Policies: NIST Recommended Best Practices End-user passwords are one of the weakest components of your overall security protocols. Most users tend to reuse passwords across work and personal accounts. In Microsoft Active ...

    • Password Policy

      Password Policy ensures that a user password is strong and is changed in a periodic manner so that it becomes highly impossible for an attacker to crack the password. To edit Password Policy settings: Go to Start Menu → Administrative Tools → Group ...