Configuring Fine-Grained Password Policies

Password polices are designed to control what kind of password a user can have and how often the user needs to change it. Strong password policies are important to help protect your system and data from malicious attack. Best practices for configuring password policies on the Windows Server platform and in Active Directory environments has evolved over the years. For example, see Password Best Practices at http://technet.microsoft.com/en-us/library/cc784090(v=WS.10).aspx which applies to Windows Server 2003 and then compare this with the recommendations in the latest version of the Microsoft Security Compliance Manager which can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=16776.

In Windows Server 2003 and earlier, you could have only a single password policy and account lockout policy governing all user accounts in a domain. This password policy could be configured by editing the Default Domain Policy Group Policy object (GPO)—specifically, the six policy settings found under Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy. Each domain also had three account lockout policy settings found under Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

With the release of Windows Server 2008 however, you could configure password policies at the per user and per group level in your environment. This new feature was called fine-grained password policies and provided Active Directory administrators with greater flexibility for controlling passwords in their environment. The problem on Windows Server 2008 however was that you needed to use ADSI Edit and LDIFDE to create and configure fine-grained password policies. For a good illustration of the complexity involved in implementing fine-grained password policies on Windows Server 2008 you can see this old post by eleven-time Directory Services MVP UlfBSimon-Weidner on his MSMVPs blog at http://blogs.msmvps.com/ulfbsimonweidner/2007/03/12/windows-server-quot-longhorn-quot-granular-password-settings/.

Beginning with Windows Server 2012 however, the task of creating and configuring fine-grained password policies has now been greatly simplified by enabling you to use the GUI-based Active Directory Administrative Center (ADAC) for these purposes. You can also use ADAC to view the resultant password settings for particular users in your environment to ensure fine-grained password policies has been configured as you originally intended.

This article explains how the fine-grained password policies works and how you can configure and use this feature in Active Directory environments that have domain controllers running Windows Server 2012 and/or Windows Server 2012 R2. The explanation and procedures in the next few sections are adapted from my book Training Guide: Installing and Configuring Windows Server 2012 R2 (Microsoft Press, 2014) which is available from http://www.amazon.com/exec/obidos/ASIN/0735684332/. The final section of this article includes some additional tips and gotchas concerning fine-grained password policies that I’ve gleaned from the larger IT pro community including the almost 100,000 followers of our WServerNews weekly newsletter which you can subscribe to at http://www.wservernews.com/subscribe.htm.

Understanding fine-grained password policies

Fine-grained password policies can be assigned to users or groups. If a user belongs to more than one group that has a fine-grained password policy assigned to it, the precedence value of each policy is used to determine which policy applies to members of the group. The precedence value of a policy must be an integer value of 1 or greater. If multiple policies apply to the same user, the policy having the lowest precedence value wins.

For example, consider a scenario where a user named Karen Berg in the corp.contoso.com domain is a member of two groups: the Marketing group and the Sales group. Fine-grained password policies have been configured as follows:

• A fine-grained password policy having a precedence value of 1 has been created and assigned to the Marketing group.
• A fine-grained password policy having a precedence value of 2 has been created and assigned to the Sales group.

Because Karen belongs to both groups, both policies apply to her, but the one with the lowest precedence value (the policy assigned to the Marketing group) is the one that takes effect.

Note that if two fine-grained password policies have the same preference value and both policies apply to the same user, the policy with the smallest globally unique identifier (GUID) wins.

Best practices for implementing fine-grained password policies

When planning to implement fine-grained password policies within your Active Directory environment, you should follow these best practices:

• Assign policies to groups instead of individual users for easier management.
• Assign a unique preference value to each fine-grained password policy you create within a domain.
• Create a fallback policy for the domain so that users who don’t belong to any groups that specifically have fine-grained password policies assigned to them will still have password and account lockout restrictions apply when they try to log on to the network. This fallback policy can be either of the following:
  • The password and account lockout policies defined in the Default Domain Policy GPO
  • A fine-grained password policy that has a higher precedence value than any other policy

For example, let’s look at how you might implement a fallback policy for your domain. Consider a scenario where the corp.contoso.com has three groups: Marketing, Sales, and Human Resources. Fine-grained password policies have been configured as follows:

• A fine-grained password policy having a precedence value of 1 has been created and assigned to the Marketing group.
• A fine-grained password policy having a precedence value of 2 has been created and assigned to the Sales group.
• No fine-grained password policy has been assigned to the Human Resources group.

To ensure that password and account lockout restrictions apply when members of the Human Resources group try to log on to the network, you can do either of the following:

• Configure password and account lockout policy settings in the Default Domain Policy GPO for the domain.
• Create a fine-grained password policy that has a precedence value of 100, and assign this policy to the Domain Users group.

Note that the recommended approach is to use the second option mentioned because Default Domain Policy is a legacy feature dating back to the Windows NT era while fine-grained password policies are the future.

Creating fine-grained password policies

Before you can create fine-grained password policies for a domain, you must ensure that the domain functional level is Windows Server 2008 or newer. This can be done using either ADAC or Windows PowerShell as described in the previous topic in this lesson. Note that Domain Admin credentials or greater are required to raise the domain functional level for a domain.

Fine-grained password policies for a domain are stored in the Password Settings Container, which is found under System, as shown in Figure 1.

Figure 1: Fine-grained password policies are stored in the Password Settings Container.

To create a new fine-grained password policy using ADC, follow these steps:

1. Display the Password Settings Container either in the navigation pane or management list pane.
2. Right-click on the Password Settings Container, and select New. Then select Password Settings.
3. Fill in the appropriate information on the Create Password Settings properties page, shown in Figure 2.
4. Click Add, and locate the group or groups you want the policy to apply to. Then click OK to create the new policy.
5. Repeat the preceding steps to create additional fine-grained password policies as needed for your environment.

Figure 2: Creating a new fine-grained password policy.

Note:
You can also use Windows PowerShell to create, modify, or delete fine-grained password policies for your domain. For example, you can use the New-ADFineGrainedPasswordPolicy cmdlet to create a new fine-grained password policy. You can also use the Set-ADFineGrainedPasswordPolicy cmdlet to modify an existing fine-grained password policy. And you can use the Remove-ADFineGrainedPasswordPolicy cmdlet to delete a fine-grained password policy that is no longer needed in your environment. Use the Get-Help cmdlet to display the syntax and examples for each of these cmdlets.

Viewing the resultant password settings for a user

You can also use ADAC to view the resultant password settings for users in a domain. This is useful both for ensuring that you have created and assigned fine-grained password policies as you intended for your environment and also for troubleshooting problems with policies not being applied as expected.

To view the resultant password settings for a particular user, first locate the user in Active Directory either by browsing using the navigation pane or by using the Global Search tile. Then right-click on the user account and select View Resultant Password Settings as shown in Figure 3. The fine-grained password policy that displays is the one that applies to the user who has the lowest precedence value.

Figure 3: Viewing the resultant set of policies for a user.

Note:
You can also use Windows PowerShell to view the resultant password settings for a user. You can do this using the Get-ADUserResultantPasswordPolicy cmdlet. Use the Get-Help cmdlet to display the syntax and examples for this cmdlet.

Tips and Gotchas

Because of fine-grained password policies you can now have multiple password policies that may apply to a particular user in your domain. However, at any given time the Active Directory object associated with that user account can only have a single password policy applied to it, namely the first policy that is applied to the object. Be aware of this fact as it can help you troubleshoot problems associated with how fine-grained password policies are being applied in your environment.

Only administrators can use the Windows PowerShell cmdlets for managing fine-grained password policies, such as Get-ADFineGrainedPasswordPolicy, Get-ADFineGrainedPasswordPolicySubject, Get-ADUserResultantPasswordPolicy and so on (see http://technet.microsoft.com/en-us/library/ee617255). If you need non-admins such as helpdesk and support personnel to be able to use these cmdlets, you will need to delegate the following Active Directory permissions to them:

• Read access to the FGPP container located at CN=Password Settings Container,CN=System,DC=etc and also read access to the FGPP objects stored in that container
• Read access to the msDS-PSOApplied attribute on the user objects
• Read access to the msDS-ResultantPSO attribute on the user objects

Fine-grained password policies can’t be directly applied to organizational units (OUs) but there is a way around this by using something called shadow groups. See the following TechNet Forum thread for more information: https://social.technet.microsoft.com/Forums/en-US/8a72ed92-633d-4139-afcc-6ff72f4685a8/how-to-implement-the-different-password-policy-on-a-particular-ou?forum=winserverDS.

If you edit passfilt.dll on your domain controllers to customize it to filter domain accounts, you should be aware that fine-grained password policy rules will then be applied in addition to your custom password filters. In certain circumstances this can cause performance issues when changing passwords, so be sure to test your customizations thoroughly before implementing them in your production environment because a SAM lock is maintained on the user account while the password policies are being processed for it. Note also that if you want your custom password filter to be applied only to certain users or groups, you will have to code such functionality into your filter. Finally, paramters cannot be passed from fine-grained password policies to custom password filters, so you can’t use a fine-grained password policy rule tell your filter which sub-rule it should apply. For more information on using password filters, see http://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx. Also see the links and recommendations in this thread on the Windows Server forum on TechNet: https://social.technet.microsoft.com/Forums/windowsserver/en-US/9f555364-3046-4205-9e68-c36f9e7147ee/edit-passfiltdll?forum=winserverDS.

Finally, while fine-grained password policies can be configured for Active Directory Domain Services (AD DS) environments, they cannot be configured in Active Directory Lightweight Directory Services (AD LDS) environments since AD LDS does not include such functionality.