In this article, we will talk about Account Password Policies and how we configure them domain wide with a more granular approach of per-user password policies without using Group Policy.

So first off, let us talk about Group Policy configuration for password complexity and requirements.

Table of Contents

    The downside of group policy settings is that it is not very granular; it is applied to OU containers and computer objects.

    To change the account policies using Group Policy, go to any domain controller in your organization, open Group Policy Management Console (gpmc.msc), go to Security Settings, then Account Policies and then Password Policies.

    Configure Fine-Grained Password Policies for Specific Users in Active Directory image 1

    But as I said before these settings apply to computer objects and thus ares not very granular. We don’t want to make organizational wide changes for just one user that maybe wants a weaker password and somehow managed to get an approval from the CISO of the organization.

    Configuring Fine-Grained Password Policies in AD

    For this scenario, we will use the Active Directory Administrative Center situated in Server Manager under Tools.

    Configure Fine-Grained Password Policies for Specific Users in Active Directory image 2

    Before we dive into the actual PSO (Password Setting Object) configuration, we must first add another node to manage in the console.

    Right click in the empty area below Global Search and choose Add Navigation Nodes.

    Configure Fine-Grained Password Policies for Specific Users in Active Directory image 3

    Then navigate to System, Password Settings Container and then click Add.

    Configure Fine-Grained Password Policies for Specific Users in Active Directory image 4

    Back to the Administrative Center, you will see a new management node has been added. Click on it and then go to New, Password Settings.

    Configure Fine-Grained Password Policies for Specific Users in Active Directory image 5

    You will then be greeted with the following Create Password Settings screen.

    Configure Fine-Grained Password Policies for Specific Users in Active Directory image 6

    For test purposes, we will leave all the values at their default values, give a name to the PSO (Test), and then choose whom we want to apply this PSO to.

    So after going to Add, and choosing the user Todd Smith, I can see that this PSO is applied and only applied to this user, regardless of OU location, GPO and so forth. Don’t forget to set the Precedence value to 1, which is the highest value that takes precedence over all other settings.

    Configure Fine-Grained Password Policies for Specific Users in Active Directory image 7

    That is it! Very simple and very cool. This way we can assign certain password policies to users without building complicated GPOs, OU structures and so forth. Enjoy!

    Sabrin Freedman-Alexander has been a Systems Administrator for over 12 years. He's currently the Principal Systems Administrator at one of the biggest Healthcare Campuses in Israel. He is a expert in Highly Available solutions and has numerous technical certifications. Read Sabrin's Full Bio

    Fix RAID Adapter – Unrecoverable Error on Dell PowerEdge Server
    How to Fix “Trust relationship has failed” Error
    Howto: Uninstall Adobe Flash Player from the Command Line
    How to Use Azure VM Scale Sets

    Leave a Reply

    Your email address will not be published. Required fields are marked *