How-to: Configure password policies in Active Directory

This is a guide on how to configure password policies for your Active Directory environment with FGPP.

Table of Contents

Fine-Grained Password Policies (FGPP)

We will be using FGPP for configuring the policies. It is a very easy tool to use and is natively built-in.

All you need is a forest functional level running at least Windows Server 2008 and administrative rights on a domain controller.

How to create/manage PSO’s (Password Settings Object)

You will need to open the Active Directory Administrative Center (ADAC).
This can be done under Tools in the Server Manager or by typing dsac.exe in the Run popup.

Then you will have to navigate to ad (local) > System > Password Settings Container.

Here you can click new under System at the right side of the window.

Now you can configure your password policy.

Understanding precedence

Only 1 password policy can be applied to a user/group. But obviously, you can create multiple PSOs (Password Settings Object).

So which one will be the winner? What PSO will be applied?

When you create a PSO, you have to type in what the precedence should be.
It has to be an integer between 1 and 2147483646.

The lowest precedence will win!

But be careful, there is a hidden precedence.

If a user is directly attached/assigned a PSO, then that PSO will always win.

If no PSO is targeted a user/group, then the default domain policy GPO will be used.

This is the precedence hierarchy.
1. Directly attached/assigned PSO to a user.
2. The PSO assigned to a security group, that the user is a member of, with the lowest precedence integer.
3. The default domain policy if no PSO is linked to a user.

What will happen if a user is linked to 2 PSOs with the same precedence integer?

The PSO with the mathematically lowest PSO GUID will win.

My recommendations

First of all, it is recommended to assign PSOs to new security groups.
For example, create a security group called sec_very_hard_password. Then assign that security group to the users, that you want to be very miserably.

It is not recommended to attach a PSO directly to a user, unless you have a very small environment.
It can quickly get messy and hard to manage, if you have a lot of directly attached PSOs.

I recommend creating a base PSO with a precedence of 100.
This will be the password policy for all users, unless another PSO is created with lower precedence.

Powershell

It is possible to manage FGPP via Powershell. You will have to use the New-ADFineGrainedPasswordPolicy cmdlet.

More info here: https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adfinegrainedpasswordpolicy?view=windowsserver2019-ps

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *