Microsoft introduced the concept of Fine-grained Password Policies in Active Directory back in Windows Server 2008. From that day on, Active Directory admins could granularly roll out Password and Account Lockout Policies to groups and individual users. It was, however, such a painful experience, that many books suggested to use the free SpecOps Password Policy Basic tool to set fine-grained password policies, instead of using the built-in PowerShell commands.
What’s New
Now, in Windows Server 2012, the Active Directory team has finally created a Graphical User Interface (GUI) for Fine-grained Password Policies. Just as the Active Directory PowerShell History Viewer and the Active Directory Recycle Bin, it’s part of the Active Directory Administrative Center.
Note:
There are no changes under the hood for Fine-grained Password Policies. These policies are still only applicable to user objects and groups, not OUs.
Creating a Fine-grained Password Policy in the GUI
If you want to, you can create a Fine-grained Password Policy without a link within the Active Directory Administrative Center. For this purpose, open the Active Directory Administrative Console, using an account with sufficient permissions to create Fine-grained Password Policies.
In the left navigation pane, head to the System container under the domain root and from there drill deeper until you reach the Password Settings Container. This is where Fine-grained Password Policies live in Active Directory:
Now, you can use the New and then Password Settings commands from the task pane on the right, or simply right-click within the middle pane and make the same selections from the context menu to create a Fine-grained Password Policy.
In the Create Password Settings screen, you can give the Fine-grained Password Policy a meaningful name and a Precedence. (both fields are mandatory.)
Tip!
Precedence allows you to give Fine-grained Password Policies priority over other Fine-grained Password Policies. Fine-grained Password Policies applied to users directly always take precedence over Fine-grained Password Policies applied to groups the user is a member of. If you work with multiple Fine-grained Password Policies, make sure the most important ones have value 1.
In the Directly Applies To section you can specify groups and/or users that will be subject to this Fine-grained Password Policy.
Assigning a Password Policy to a user in the GUI
To assign a Fine-grained Password Policy directly to a user, open the properties of a user account in the Active Directory Administrative Center. In the left pane, select Password Settings. Use the Assign… button to select a Fine-grained Password Policy:
Use the Check Names functionality to make picking easier and click OK when done.
Assigning a Password Policy to a group in the GUI
Assigning a Fine-grained Password Policy to a group is as straight-forward as assigning a Fine-grained Password Policy to a user. Open the properties of a group, scroll down to the Password Settings, or click it in the left pane and add/remove Password policies, as you seem fit:
View resultant password settings for a user
If, at any time, you’re unclear which Fine-grained Password Policy applies to a user, use the built-in capabilities of the Active Directory Administrative Center to view the resultant password settings. For this feature, simply right-click a user, and select View resultant password settings… from the context menu:
This command will open the applied Fine-grained Password Policy for the user object.
Concluding
With the availability of managing Fine-grained Password Policies from the Graphical User Interface (GUI) of the Active Directory Administrative Center (ADAC), it has become much easier to manage password and lockout settings for (groups of) users.
Related posts
Creating and managing fine-grained password policies
Further reading
Specops Password Policy Basic
Creating fine grained password policies through GUI Windows server 2012
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
Create a New Fine-Grained Password Policy using Windows PowerShell
Windows Server 8 – Fine-Grained Password Policies
Configuring Password Policies with Windows Server 2012
Creating fine grained password policies through GUI Windows server 2012
FGPP at Windows 8 server
Login