Pricing  Get Quote
 
 
Blog

What is FGPP precedence in Active Directory?

Written by Melvin MonachanPassword management3 min read

On this page
  • FGPP precedence in AD explained
  • Application of an FGPP in AD
  • How to determine which FGPP takes precedence
  • How does AD resolve conflicts between multiple policies?
  • Some best practices to follow when setting up FGPPs
  • Enforce stringent password policies with ADSelfService Plus
  • People also ask

FGPP precedence in AD explained

A fine-grained password policy (FGPP) in Active Directory (AD) provides administrators with the ability to create and enforce customized password policies for different user groups or within a domain. This feature helps to resolve the limitations of the default domain password policy by allowing the customization of password rules based on specific user roles and organizational requirements.

Using FGPPs is important for enhancing the overall security posture of your organization, ensuring that sensitive accounts are protected without enforcing very stringent restrictions across the entire domain. By implementing FGPPs, organizations are able to match password policies with their operational needs and meet various compliance requirements.

Application of an FGPP in AD

FGPPs have restrictions when it comes to which AD objects they can be applied. To get a better understanding on which AD objects FGPPs can and cannot be applied, refer to the table below.

Directory objects on which an FGPP can be applied Directory objects on which an FGPP cannot be applied
Users Nested groups
Global security groups Cannot be applied across different domains in a forest
Domain local security groups OUs

How to determine which FGPP takes precedence

The order of precedence is given in a descending manner:

A pyramid chart representing the FGPP precedence in descending order.
Fig. 1: Shows the FGPP precedence order (descending) in Windows AD.

The pyramid chart above represents the FGPP precedence, which is in descending order. The FGPP settings directly applied to a user will take precedence over the FGPP settings applied to the global security group in which the user may be a member.

How does AD resolve conflicts between multiple policies?

  • FGPP settings applied directly to users always take precedence over those settings applied to groups.
  • If multiple FGPPs are applied to a user, the FGPP with the lowest precedence value is applied.
  • If two FGPPs with the same precedence value are applied to a user, then the FGPP with the lowest Globally Unique Identifier (GUID) value is applied.
  • If no specific FGPP is applied to a user or group, the default domain-wide password policy is applied.

Some best practices to follow when setting up FGPPs

  • Identify the security requirements and operational needs of different user groups and tailor the FGPP settings accordingly to align with your organization's requirements.
  • Apply FGPP settings to global or domain local security groups rather than individual users whenever possible. This approach aids with management and ensures consistent application of policies across all group members.
  • Maintain documentation of your FGPP settings, including which policies were applied to which users or groups, to aid in audits and troubleshooting scenarios.
  • Review and update FGPP settings regularly to align with evolving security best practices, regulatory requirements, and organizational changes.
Implement granular custom password policies with ADSelfService Plus

Enforce stringent password policies with ADSelfService Plus

ADSelfService Plus is an identity security solution with MFA, SSO, and password management capabilities. Its Password Policy Enforcer feature allows administrators to enforce custom password policies that seamlessly integrate with AD's built-in password policies. These custom policies offer more granular control, including settings such as restrictions on custom dictionary words, palindromes, and character repetitions. In addition, ADSelfService Plus integrates with Have I Been Pwned to prevent your users from using breached passwords.

People also ask

What is FGPP in AD?

Fine-grained password policy (FGPP) in AD provides administrators with the ability to create and enforce customized password policies for different user groups within a domain.

What is precedence in FGPP?

FGPP precedence in AD refers to the order in which multiple password policies are applied within a domain environment.

Does the FGPP override the default domain policy?

Yes, the FGPP overrides the default domain policy when users or groups already have an active, enforced FGPP applied to them.

Can you have multiple FGPPs?

Yes, AD allows administrators to create and enforce multiple FGPPs within a single domain.

Can you apply an FGPP to an OU?

FGPPs cannot be directly applied to OUs as they are not security principals. However, you can create a shadow group (i.e., a global security group with the members of an OU mapped to it) and then add the members of the OU to this newly created shadow group. Once the shadow group has been created and the OU members added to it, you can then apply the FGPP to this shadow group.

 

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Email Download Link