Active directory password policy is an old topic and rarely people talk about it when comes to improving domain security. It’s because when you apply a password policy, you don’t need to look back or no further configurations required. It will stay applied to all users. But with the increase of threats and password attacks, you might need to rethink to have a stronger policy to the administrative accounts. A policy with higher lengthy, complex and stay locked if a few logon attempts were made. From this post let’s see how we can implement multiple passwords policies to different user groups.
There is two ways to implement a password policy to active directory domain users, using the conventional Group Policy or fine granted password policy.
Password policy through Group Policy
This is the traditional and the most common method, it introduced with windows server 2000 and still works as expected. By default, the password policy configured with default domain policy. The following settings can be configured with default domain policy.
With the GPO method, you can link group polices with password policy to any OU, but this will not apply the password policy within that GPO. It will work only in domain level. Group policy with password policy should be assigned to domain level, not OU, you can have multiple GPO’s with password policies in domain level however only one policy will be applied to all users in their priority. So, with GPO method you cannot apply multiple passwords policies to different users.
Fine Granted Password policy.
You can use fine granted password policies when you want to apply multiple password policies. Fine granted password policy defined inside of Active Directory by creating a Password Settings Container and this can be applied to different security groups containing users. This feature was released with windows server 2008 where you need to use the ADSI edit and manually add the configuration items to the Active directory. With windows server 2012 this is much simpler where you can follow the GUI wizard or the PowerShell commands.
Enable Fine granted password policy to user groups
I assume you are using windows server 2012 or later, here I’m using windows server 2016.
- Login to a Domain controller – Open Active directory administrative center
- Click the Domain name and select the Password settings container.
- Click New – Password settings
- Name the policy and the precedence, precedence represents the priority, when multiple policies applied to a user, policy with the lowest precedence integer value will apply.
- Click the Add button to select the user group where the password policy should be applied. Select the user group and OK.
- Click OK to complete the policy.
- Once you complete the policy, instantly you can try changing the password to see the result.
Using this method, you can set multiple password policies for your organization. In the example, you can have a much stronger password policy to all your privilege access accounts and a standard password policy to normal users.
Hope this post is useful
Asitha De Silva