A fine-grained password policy (FGPP) in Active Directory (AD) provides administrators with the ability to create and enforce customized password policies for different user groups or within a domain. This feature helps to resolve the limitations of the default domain password policy by allowing the customization of password rules based on specific user roles and organizational requirements.
Using FGPPs is important for enhancing the overall security posture of your organization, ensuring that sensitive accounts are protected without enforcing very stringent restrictions across the entire domain. By implementing FGPPs, organizations are able to match password policies with their operational needs and meet various compliance requirements.
FGPPs have restrictions when it comes to which AD objects they can be applied. To get a better understanding on which AD objects FGPPs can and cannot be applied, refer to the table below.
Directory objects on which an FGPP can be applied | Directory objects on which an FGPP cannot be applied |
---|---|
Users | Nested groups |
Global security groups | Cannot be applied across different domains in a forest |
Domain local security groups | OUs |
The order of precedence is given in a descending manner:
The pyramid chart above represents the FGPP precedence, which is in descending order. The FGPP settings directly applied to a user will take precedence over the FGPP settings applied to the global security group in which the user may be a member.
ADSelfService Plus is an identity security solution with MFA, SSO, and password management capabilities. Its Password Policy Enforcer feature allows administrators to enforce custom password policies that seamlessly integrate with AD's built-in password policies. These custom policies offer more granular control, including settings such as restrictions on custom dictionary words, palindromes, and character repetitions. In addition, ADSelfService Plus integrates with Have I Been Pwned to prevent your users from using breached passwords.
Fine-grained password policy (FGPP) in AD provides administrators with the ability to create and enforce customized password policies for different user groups within a domain.
FGPP precedence in AD refers to the order in which multiple password policies are applied within a domain environment.
Yes, the FGPP overrides the default domain policy when users or groups already have an active, enforced FGPP applied to them.
Yes, AD allows administrators to create and enforce multiple FGPPs within a single domain.
FGPPs cannot be directly applied to OUs as they are not security principals. However, you can create a shadow group (i.e., a global security group with the members of an OU mapped to it) and then add the members of the OU to this newly created shadow group. Once the shadow group has been created and the OU members added to it, you can then apply the FGPP to this shadow group.