How to enable an Active Directory fine-grained password policy

Overview

This article explains how to enable a fine-grained password policy (FGPP) in Active Directory using Password Settings Objects (PSOs), how FGPP precedence works, and how administrators can manage password complexity requirements for different user groups. It also explores the limitations of native Active Directory fine-grained password policies and introduces a more advanced alternative: ManageEngine ADSelfService Plus’ Password Policy Enforcer.

What is an Active Directory fine-grained password policy?

An FGPP is an Active Directory feature introduced in Windows Server 2008 that allows administrators to apply different password and account lockout policies to specific users and global security groups within a domain.

Traditional password policies configured through the Default Domain Policy apply uniformly across the entire domain and cannot differentiate between privileged accounts, standard users, or department-specific security requirements. FGPPs overcome this limitation by using PSOs to define separate password complexity requirements and lockout settings for different sets of users.

Unlike Group Policy Objects (GPOs), FGPPs are not linked to organizational units (OUs). Instead, they are directly applied to users or global security groups. Once an FGPP is applied, it overrides the password and account lockout settings configured in the Default Domain Policy for those users.

FGPPs are commonly used to:

• Enforce stronger password policies for privileged accounts.
• Configure stricter account lockout settings for sensitive systems.
• Apply separate password policies for contractors, executives, or remote users.
• Improve compliance with standards such as NIST and PCI DSS.

Prerequisites: Domain functional level and required permissions

Before configuring an FGPP, ensure the following prerequisites are met:

• The domain functional level must be Windows Server 2008 or above.
• You must have one of the following:
  • Membership in the Domain Admins group.
  • Delegated permissions on the Password Settings Container.
• Install Remote Server Administration Tools (RSAT) if managing Active Directory from a workstation.
• To manage FGPPs using PowerShell:
  • Install the Active Directory PowerShell module.
  • Ensure the device is connected to the domain network.

Keep the following limitations in mind:

• FGPPs apply only to:
  • User objects.
  • Global security groups
• FGPPs cannot be directly applied to:
• OUs.
• Computers.
• Distribution groups.

The functionality of Active Directory fine-grained password policies

FGPPs are implemented by creating PSOs within the Password Settings Container in Active Directory. Each PSO contains configurable password and account lockout settings such as:

• Minimum password length.
• Password history count.
• Password complexity requirements.
• Minimum and maximum password age.
• Account lockout threshold.
• Lockout duration.

When a user is subject to multiple PSOs, Active Directory resolves the conflict using FGPP precedence. The PSO with the lowest precedence value takes priority.

Administrators can verify the resultant password policy applied to a user using:

FGPPs are especially useful for organizations that need stricter password controls for privileged accounts or users with access to sensitive systems.

Steps to enable a fine-grained password policy in Active Directory

1. Open Active Directory Administrative Center (ADAC).
2. Click Manage > Add Navigation Nodes.
3. In the Add Navigation Nodes dialog box, select the required domain and click OK.
4. In the left pane, expand the System container and open the Password Settings Container.
5. In the Tasks pane, click New > Password Settings.
6. Enter the required details for the new PSO.

   The following fields are mandatory:

   • Name
   • Precedence

   The precedence value determines which FGPP applies when users belong to multiple groups with different PSOs assigned. Lower precedence numbers have higher priority.

7. Configure the required password policy settings:
   • Minimum Password Length
   • Password History
   • Complexity Required
   • Store Passwords Using Reversible Encryption
   • Protect from Accidental Deletion
   • Minimum Password Age
   • Maximum Password Age
   • Account Lockout Threshold
   • Lockout Duration
8. Under Directly Applies To, click Add.
9. Enter the name of the user or global security group to which the FGPP should apply.
10. Click OK.
11. Review the configuration settings and click OK again to create the PSO.

Creating a fine-grained password policy using PowerShell

Use the following command to create a new PSO:

Assign the policy to a global security group:

View configured policies:

Check the resultant password policy for a user:

Steps to enable a fine-grained password policy with ADSelfService Plus

ManageEngine ADSelfService Plus offers Password Policy Enforcer, an advanced password policy solution that extends the capabilities of native Active Directory FGPPs.

Unlike traditional FGPPs, ADSelfService Plus enables organizations to enforce truly granular password policies across domains, OUs, and groups while helping users create NIST-compliant passwords that are resistant to dictionary and brute-force attacks.

To configure granular password policies in ADSelfService Plus:

1. Log in to ADSelfService Plus as an administrator.
2. Navigate to Configuration > Self-Service > Password Policy Enforcer.
3. Select the policy to which you want to apply the password policy rules.
4. Enable Enforce Custom Password Policy.
5. Define the complexity requirements for new passwords by checking the necessary boxes:
   1. Restrict characters: These password policy settings include mandating the number of special, numeric, and Unicode characters. You can also set the type of character with which the password must begin.
   2. Restrict repetition: These settings restrict the use of consecutive characters from usernames or previous passwords. Consecutive repetition of the same character can also be restricted.
   3. Restrict pattern: The settings under this tab restrict the use of custom dictionary words, patterns, and palindromes in passwords. You can configure custom regex patterns that your users' passwords must meet, allowing you to define precise password requirements for your organization.
   4. Restrict length: These rules let you set both a minimum and maximum number of characters for the password.
6. You can also configure the following settings for your custom password policy.
   1. Override all complexity rules if password length is at least ___: Enable this option to bypass all complexity rules if the password meets or exceeds the specified length.
   2. Password must satisfy at least ___ of the above complexity requirements: Ensure the password complies with a minimum number of the specified complexity rules.
   3. Show this policy requirement in Reset and Change Password pages: Display the rules of your custom password policy on the password reset and change password pages, replacing the default domain password policy.
   4. Enforce this policy in GINA/CP (Ctrl+Alt+Del) screen and ADUC Password resets through Password Sync Agent: Apply the custom password policy configured in ADSelfService Plus during password reset operation via the ADUC interface and during password change on the Ctrl+Alt+Del screen.
7. Click Save to finish the configuration.

Validation and confirmation

After configuring Password Policy Enforcer in ADSelfService Plus, validate the policy using a test account to ensure the configured password requirements are enforced correctly.

1. Assign the configured policy to a test user, group, or OU.
2. Attempt to reset or change the password using a weak password that violates the configured policy requirements, such as:
   1. A password below the minimum length.
   2. A password without required special or numeric characters.
   3. A dictionary-based password.
   4. A breached or previously used password.
3. Next, attempt to set a password that satisfies all configured password policy rules and confirm that the password reset or password change operation succeeds.
4. If Password Sync Agent is enabled, verify that the custom password policy is also enforced during:
   1. Ctrl+Alt+Del password changes.
   2. Active Directory Users and Computers (ADUC) password resets.

Successful validation confirms that the configured granular password policy is functioning as expected across supported password change and reset workflows.

Tips

• Enable breached password protection via the Have I Been Pwned? integration to prevent users from setting compromised passwords.
• Test every new FGPP with a non-production account before deployment.
• Encourage the use of longer passphrases to improve security while reducing password reset requests.
• Enforce password policies during Ctrl+Alt+Del password changes and ADUC password resets using the Password Sync Agent.
• Regularly review password and account lockout settings to maintain compliance with security standards such as NIST and PCI DSS.