Windows Server 2008 Fine-grained Password Policies

One of the major improvements in the Windows Server 2008 Active Directory is the ability to create fine-grained password and account lockout policies. As you might know, in Windows Server 2003 and Windows 2000, you could only create a single password policy and that policy applied to all domain members. Actually, you could use workarounds for this limitation, such as create separate domains for users who required different password policies and configure a trust between those domains, or you could create a custom .dll filter that you would install on each of your domain controllers. Both these solutions had the potential for significantly increasing the complexity of your network, or at least require an enormous amount of administrator overhead to get them to work.

Windows Server 2008 now allows you to create separate password and lockout policies for different users in the domain. This allows you to set strong password policies for users with high privileges (such as domain administrators) and weaker policies for users with limited privileges (such as normal users). Of course, you can create many more than two password and lockout policies. You can create as many as you like.

The problem is, the process for creating these policies is almost as complex as the workarounds you had to use with Windows 2000 and Windows Server 2008. You have to use tools such as ADSIEdit, LD or LDIFDE to make the solution work, and there are many powerful opportunities to create a configuration error that could potentially damage your Active Directory configuration. While Windows Server 2008 has taken great strides at increasing ease of use of many complex functions in previous versions of Windows, it’s clear that support for fine-grained password policies is at the version 0.9 level at this time. This is comparable to the version 0.9 status that I believe is appropriate for the server core deployment option for Windows Server 2008.

This is not to say that you shouldn’t take advantage of this great feature. The good news is that third parties have stepped in to complete the development of this part of Windows Server 2008. There is a tool called PSOMgr that you can download from This is a command line tool, but makes the configuration a bit easier. If you want a truly professional tool, check out Specops, which provides a MMC snap-in, which you can find at  There is also a free version on the specops site that you can download and will help you a lot in getting your password policies done without driving yourself made with AD arcana.

If you have a lot of free time and want to see how to create fine-grained password policies using the built-in tools included with Windows Server 2008, check out:



Thomas W Shinder, M.D.

Email: [email protected]
MVP – Microsoft Firewalls (ISA)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top