Open a ticket
Chat with us
BLOG Published on 2019/11/16 by Asitha De Silva in Tech-Tips

Multiple Password Policies for Domain Users

Active directory password policy is an old topic and rarely people talk about it when comes to improving domain security. It’s because when you apply a password policy, you don’t need to look back or no further configurations required. It will stay applied to all users. But with the increase of threats and password attacks, you might need to rethink to have a stronger policy to the administrative accounts. A policy with higher lengthy, complex and stay locked if a few logon attempts were made. From this post let’s see how we can implement multiple passwords policies to different user groups.

There is two ways to implement a password policy to active directory domain users, using the conventional Group Policy or fine-graiend password policy.

Password policy through Group Policy

This is the traditional and the most common method, it introduced with windows server 2000 and still works as expected. By default, the password policy configured with default domain policy. The following settings can be configured with default domain policy.

With the GPO method, you can link group polices with password policy to any OU, but this will not apply the password policy within that GPO. It will work only in domain level. Group policy with password policy should be assigned to domain level, not OU, you can have multiple GPO’s with password policies in domain level however only one policy will be applied to all users in their priority. So, with GPO method you cannot apply multiple passwords policies to different users.  

Fine-grained Password policies

You can use fine-grained password policies when you want to apply multiple password policies. A fine-grained password policy defined inside of Active Directory by creating a Password Settings Container and this can be applied to different security groups containing users. This feature was released with windows server 2008 where you need to use the ADSI edit and manually add the configuration items to the Active directory. With windows server 2012 this is much simpler where you can follow the GUI wizard or the PowerShell commands.

Enable fine-grained password policy to user groups

I assume you are using windows server 2012 or later, here I’m using windows server 2016.

  1. Login to a Domain controller – Open Active directory administrative center

  2. Click the Domain name and select the Password settings container.

  3. Click NewPassword settings

  4. Name the policy and the precedence, precedence represents the priority, when multiple policies applied to a user, policy with the lowest precedence integer value will apply.
  5. Click the Add button to select the user group where the password policy should be applied. Select the user group and OK.
  6. Click OK to complete the policy.
  7. Once you complete the policy, instantly you can try changing the password to see the result.

Using this method, you can set multiple password policies for your organization. In the example, you can have a much stronger password policy to all your privilege access accounts and a standard password policy to normal users.

Hope this post is useful

Asitha De Silva

Asitha De Silva

Consultant Cloud Solutions

Expert in architecting and implementing cloud-based infrastructure solutions.


To keep up with the news and updates related to our products, make sure to subscribe to our newsletter!

Copyright © 2024 Terminalworks. All Rights Reserved