Centriq Training Print Logo

Tuesday

June 18 03:47 PM


Blog Banner Graphic

Blog

Fine-Grained Password Policies

Fine-Grained Password Policies

June 10, 2019 in Corporate IT Training, Microsoft / by Janet Nichols

How to Configure Fine-Grained Password Policies in PowerShell

 

About a year ago, I held a seminar about Fine-Grained password policies. Several of my students asked me to document the important points in a blog. But they added a twist to the request. Instead of using GUI tools, they suggested it would be more helpful if I documented all of the steps in PowerShell. Never one to say no, I agreed. So to those students, this blog is for you!

First, a little background about Fine-Grained password policies.

What are Fine-Grained Password Policies?

Fine-Grained password policies were first introduced by Microsoft in Windows Server 2008 allow administrators to have multiple password policies in a domain. Prior to Server 2008, each domain could have only a single password and account lockout policy. With Fine-Grained password policies, each domain can now have multiple different password and account lockout policies. These policies can be assigned to an individual user, InetOrgPerson, or a global group (also referred to as a shadow group). (A shadow group is a global group that “shadows” the membership of an Organizational unit.)

How to Configure Fine-Grained Password Policies in PowerShell

  1. Verify your domain functional level
  2. Create a new global group for the members of the IT organizational unit
  3. Create a Password Setting Object
  4. Link your Fine-Grained password policy to my ITpwd group
  5. Add your user to the new ServerAdmins group
  6. Create a Password Setting object
  7. Assign the ServerAdminpwds to the ServerAdmins group
  8. Add the Fine-Grained password policy to my user object

First, I verify my domain functional level. To support Fine-Grained password policies, your domain functional level must be at least Windows Server 2008.

Since my domain functional level is Windows2012R2, I can proceed.

Next, I create a new global group for the members of the IT organizational unit. All of the members in my IT organizational unit have a department name of IT. This allows me to use PowerShell to search for the users that have been assigned to the IT group. I then add the users from my query to the new Global group named ITPwd.

$_ = current item from my search. My user account, Janet has a department identifier of IT.

Next, I create a Password Setting Object. I name it ITpwds.

This is a single line.

This password policy is creating a complex password that is a minimum of 9 characters in length. The password must be changed every 30 days.  (30:00:00:00 is entered as DD.HH:MM: SS. DD=day, HH=hour, MM=minutes, and SS=seconds.)  The user can choose to change the password after 1 day. The password history count of 12 indicates that the user must use a unique password for 12 changes.  The Reversible encryption is set to false.  This means that I do not want to store the password in a readable format. The lockout threshold is set to 3. This indicates that if the user logs on with a known user account but cannot guess their password after three tries, the account will be locked. The lockout observation window indicates that after 15 minutes, the counter will reset to 0; assuming that the user account is not locked out, the user can try again to logon. The lockout duration is set to 30 days. If the user account is locked out, it will remain locked out for 30 days. The precedence of 20 is used in case I decide to set up multiple password settings objects for different groups; since the user may belong to two or more groups that have a password policy associated with it. The lower the precedence number, the higher the precedence. In English, that means when a user belongs to two different groups, each with a Fine-Grained password policy assigned, the password settings object with the lowest number would be their effective password setting.

Next, I link my Fine-Grained password policy to my ITpwd group.

To view the new Fine-Grained password policy, I type the following:

To view my user’s password policy, I type:

To verify that Precedence works correctly, I create a second group and a new Password Settings Object for that group.

Next, I add my user to the new ServerAdmins group.

Next, I create a Password Setting object.   

Next, I assign the ServerAdminpwds to the ServerAdmins group.

Now I verify that Janet has the ServerAdminpwds PasswordSettings Object assigned.

To assign a Fine-Grained password policy to my user account, I type:

Next, I add the Fine-Grained password policy to my user object. 

To verify that the directly assigned password policy is assigned to my user, I run the following:

Assigning a Password Settings Object to a single user account can be useful. It allows a single user to have a unique password policy. This is useful when a user has security restrictions on just their account.

Let me know if you have any questions!

 

Janet Nichols has 36 years of experience working in IT, with expertise in Microsoft Windows Server 2016, Microsoft Windows Server 2012, Microsoft Windows Server 2008, Microsoft Networking Technologies, and Infrastructure services. 

Are you interested in learning more about Fine-Grained password policies or taking a class at Centriq Training? Fill out the form below for a training advisor to contact you with more information!

  •  

    Privacy Policy

  • This field is for validation purposes and should be left unchanged.