Fine - Grained Password policy Windows 2008 R2 Domain controller. RRS feed

  • Question

  • HI,

    Need to configured Fine- Grained Password policy. Raised functional level to windows 2008 R2 .

    1. How to configure

    2. How to test the same

    3. Explore the features.

    Sunday, March 11, 2012 10:44 PM


All replies

  • Refer below link:


    AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide


    AD DS: Fine-Grained Password Policies


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sunday, March 11, 2012 11:18 PM
  • You can implement fine grain password policy in the domain and the requirement is domain functional level should be min at windows 2008.You can test the same following below article but keep in mind if you raised the FFL to windows 2008 r2 you can use AD-Recycle bin feature for restoring the deleted object w/o taking system offline.


    Take a look at below article for new or improvements in windows 2008 /R2.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 12, 2012 4:14 AM
  • HI ,

    You can create Password Settings objects (PSOs):

    Using AD Module for Windows PowerShell

    Using ADSI Edit

    and Using Ldifde.

    The easiest way to implement PSO from ADSI Edit...

    To create a PSO using ADSI Edit

    1. Click Start, click Run, type adsiedit.msc, and then click OK.

      If you are running ADSI Edit for the first time on a domain controller, proceed to step 2. Otherwise, proceed to step 4.

    2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.

    3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK.

    4. Double-click the domain.

    5. Double-click DC=<domain_name>.

    6. Double-click CN=System.

    7. Click CN=Password Settings Container.

      All the PSO objects that have been created in the selected domain appear.

    8. Right-click CN=Password Settings Container, click New, and then click Object.

    9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.

    10. In Value, type the name of the new PSO, and then click Next.

    11. Continue with the wizard, and enter appropriate values for all mustHave attributes.

      To disable account lockout policies, assign the msDS-LockoutThreshold attribute the value of 0.

      To avoid ADSI Edit errors, values for the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) must be entered in the d:hh:mm:ss format (recommended) or the I8 format. Note that the d:hh:mm:ss format is only available in the Windows Server 2008 version of ADSI Edit. For more information about how to convert time unit values into I8 values, see "Negative PSO Attribute Values" in Appendix B: PSO Attribute Constraints.

      For more information about time-related PSO attributes, see "PSO Attributes Referential Integrity" in Appendix B: PSO Attribute Constraints.


      Attribute name Description Acceptable value range Example value


      Password Settings Precedence

      Greater than 0



      Password reversible encryption status for user accounts

      FALSE / TRUE (Recommended: FALSE)



      Password History Length for user accounts

      0 through 1024



      Password complexity status for user accounts

      FALSE / TRUE (Recommended: TRUE)



      Minimum Password Length for user accounts

      0 through 255



      Minimum Password Age for user accounts

      • (None)

      • 00:00:00:00 through msDS-MaximumPasswordAge value

      1:00:00:00 (1 day)


      Maximum Password Age for user accounts

      • (Never)

        To set the time to (never), set the value to -9223372036854775808.

      • msDS-MinimumPasswordAge value through (Never)

      • msDS-MaximumPasswordAge cannot be set to zero

      42:00:00:00 (42 days)


      Lockout threshold for lockout of user accounts

      0 through 65535



      Observation Window for lockout of user accounts

      • (None)

      • 00:00:00:01 through msDS-LockoutDuration value

      0:00:30:00 (30 minutes)


      Lockout duration for locked out user accounts

      • (None)

      • (Never)

      • msDS-LockoutObservationWindow value through (Never)

      0:00:30:00 (30 minutes)


      Links to objects that this password settings object applies to (forward link)

      0 or more DNs of users or global security groups


      To create a PSO without applying it to any users or global security groups, proceed to step 17. Otherwise, proceed to step 12.

      On the last screen of the wizard, click More Attributes.

    12. On the Select which property to view menu, click Optional or Both.

    13. In the Select a property to view drop-down list, select msDS-PSOAppliesTo.

    14. In Edit Attribute, add the distinguished names of users or global security groups that the PSO is to be applied to, and then click Add.

    15. Repeat step 15 to apply the PSO to more users like Test1, Test2 (you have to make these users urself) or global security groups.

    16. Click Finish.

    To Test it.. You can now try to reset the password of that user / group. It will react according to new PSO (Fine Grained ).

    Kamal Sharma

    Monday, March 12, 2012 5:39 AM
  • Fine Grain Password Policy Tool are “Supported” on the following platforms

    • Windows Server 2008
    • Windows Server 2008 R2
    • Windows Vista
    • Windows 7 Beta and later
    • Windows Server 2003 Service Pack 1
    • Windows XP Service Pack 2

    Reference link,


    Above link explains what the Prerequisites , setup etc

    Additionally you can refer to the below links which might help you to set up the Fine Grained password.


    About Fine Grained password policy.




    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, March 12, 2012 6:20 AM
  • Additionally you may refer below links:

    Configuring Granular (Fine-Grained) Password Settings in Windows Server 2008 + video

    Fine-Grained Password Policies in Windows Server 2008

    Windows Server 2008 - Fine Grained Password Policy Walkthrough

    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, March 12, 2012 10:08 AM
  • Hi All thanks for your reply.

    I have already configured the policy but for testing purpose i required help.

    I have tested the policy by reseting the password for default policy password lenght was 7 character and for new policy which i created i have given 16.

    When i try to reset the user password with 10 character I got complexity error as i mentioned 16 character. When i typed 18 character it got reset.

    Same thing i tested the user who is having default policy with 8 character its password got reset . So with this i conclude that policy has been applied.

    But my another concern is how to check password age for the new policy which i applied. i tried to get the same with below command.

    Get-QadUser -Identity John | Fl pass*  i am getting blank answer but when i checked the user who is having default domain policy i am getting result. So please can any one let me know how to find the password age and all related to password for Fined Grained password policy. 

    Tuesday, March 13, 2012 5:05 PM