Pricing  Get Quote

Fine-grained password policy (FGPP)

Active Directory comes bundled with a default password policy that defines configurable rules for user account password creation. The rules include minimum and maximum password age, length, complexity, history, and encryption settings. This traditional password policy, however, cannot be customized for a specific set of users, groups, or OUs because it is only applicable to the entire domain to which it is linked. To overcome this significant drawback, Active Directory offers the fine-grained password policy (FGPP) feature (in Windows Server 2008 and later versions) that allows password policies to be tailored to different users and groups within the domain.

The scope and functionality of an FGPP

  • To use an FGPP, the domain must operate at a functional level of Windows Server 2008 and above.
  • FGPPs work by creating multiple Password Settings Objects (PSOs) inside the domain. Password and account lockout policies can be customized in each PSO.
  • Domain admins or users with delegated permissions can create and assign PSOs in the Active Directory Administrative Center or using PowerShell. For detailed steps, visit this webpage.
  • FGPP PSOs are applicable only to user objects and global security groups.
  • When an FGPP is applied to a set of users or global security groups in a domain, the default domain password policy is no longer applicable to those objects.
  • FGPPs can be used in cases where user accounts accessing sensitive data or synchronized with multiple confidential data sources require stricter password and account lockout policies.

Drawbacks of FGPPs

  • FGPPs do not do justice to the term "fine-grained" since they are not applicable to OUs.
  • They are not deployed using Group Policy Objects and take effect for users only based on their group memberships.
  • Applying and managing multiple FGPPs can be a challenging task due to the complications involved in keeping track of the assigned policies.
  • Because of their limited password and account lockout settings, FGPPs cannot meet password compliance regulations such as the NIST password standards.
  • FGPPs cannot prevent sophisticated, modern password attacks like dictionary and brute-force attacks.

How ADSelfService Plus fortifies passwords to secure identities

ADSelfService Plus offers the Password Policy Enforcer feature to help employees in your organization set NIST-compliant, sophisticated passwords that are almost impossible to crack. With ADSelfService Plus, you can enforce custom password policies that seamlessly integrate with the built-in Active Directory password policies, providing more granular control than the latter. These custom password policies provide numerous intricate password settings, including restrictions on custom dictionary words, palindromes, and character repetitions.

  • Restrict characters: These password policy settings include mandating the number of special, numeric, and Unicode characters. You can also set the type of character with which the password must begin.

    Fine-grained password policy (FGPP)

  • Restrict repetition: These settings restrict the use of consecutive characters from usernames or previous passwords. Consecutive repetition of the same character can also be restricted.

    Fine-grained password policy (FGPP)

  • Restrict pattern: The settings under this tab restrict custom dictionary words, patterns, and palindromes that might be commonly used.

    Fine-grained password policy (FGPP)

  • Restrict length: These rules let you set both a minimum and maximum number of characters for the password.

    Fine-grained password policy (FGPP)

Still wondering if your organization should try ADSelfService Plus? Here is why you should not hesitate:

ADSelfService Plus' Password Policy Enforcer gives you the following benefits:

  • Helps users pick strong passwords
  • Encourages passphrases
  • Implements granular password policies
  • Analyzes password strength
  • Enforces policies universally
  • Meets compliance regulations
  • Enhances the user experience

Reinforce your business's cyberdefense with ADSelfService Plus, an integrated self-service password management, multi‑factor authentication, and single sign-on solution that helps your employees adopt best practices for passwords.

Enforce password security best practices with ADSelfService Plus

  Download a free trial now!  Request demo


Request Support

Need further assistance? Fill this form, and we'll contact you rightaway.


Password self-service

Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console. 

One identity with Single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus! 

Password/Account Expiry Notification

Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.

Password Synchronizer

Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more. 

Password Policy Enforcer

Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.

Directory Self-UpdateCorporate Search

Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.

ADSelfService Plus trusted by

A single pane of glass for complete self service password management