Before Windows Server 2008, there was a limitation about password management: only one password policy and lockout policy could be applied to all users in the domain. Therefore, some organizations created several domains to manage different set of user / password policy.
With Windows Server 2008, Microsoft integrated Fine-Grained password policy. With this object, you can now create multiple password policy in the same domain and assign it to a specific user group. However, there was no built-in GUI to create Fine-Grained policy. We had to use ADSIEdit and Attribute Editor to assign a policy to a user group.
Windows Server 2012 uses Active Directory Administrative Center to give us the possibility to create Fine-Grained policy with a wizard. Let’s see how to do that easier.
We need to use Active Directory Administrative Center to create fine-grained policy with GUI.
- Go to Active Directory Administrative Center:
- Select your domain on the left, and click on System container:
- Select Password Settings Container:
- Select New and Password Settings on the right:
Fine-grained custom policy
Now the wizard to create you custom policy appears.
- Set information required by the wizard, like password length, complexity,…
- Assign this policy to a user group.
Resultant of policy
Active Directory Administrative Center lets us to check quickly the password policy for a user:
- Go to the user account.
- Right click on select “View Resultant password settings“
You could get more information about fine-grained password here.