Configure Fine-Grained Password Policies for Specific Users in Active Directory

 

 

In this article, we will talk about Account Password Policies and how we configure them domain wide with a more granular approach of per-user password policies without using Group Policy.

So first off, let us talk about Group Policy configuration for password complexity and requirements.

The downside of group policy settings is that it is not very granular; it is applied to OU containers and computer objects.

To change the account policies using Group Policy, go to any domain controller in your organization, open Group Policy Management Console (gpmc.msc), go to Security Settings, then Account Policies and then Password Policies.

But as I said before these settings apply to computer objects and thus ares not very granular. We don’t want to make organizational wide changes for just one user that maybe wants a weaker password and somehow managed to get an approval from the CISO of the organization.

Configuring Fine-Grained Password Policies in AD

For this scenario, we will use the Active Directory Administrative Center situated in Server Manager under Tools.

Before we dive into the actual PSO (Password Setting Object) configuration, we must first add another node to manage in the console.

Right click in the empty area below Global Search and choose Add Navigation Nodes.

Then navigate to SystemPassword Settings Container and then click Add.

Back to the Administrative Center, you will see a new management node has been added. Click on it and then go to NewPassword Settings.

You will then be greeted with the following Create Password Settings screen.

For test purposes, we will leave all the values at their default values, give a name to the PSO (Test), and then choose whom we want to apply this PSO to.

So after going to Add, and choosing the user Todd Smith, I can see that this PSO is applied and only applied to this user, regardless of OU location, GPO and so forth. Don’t forget to set the Precedence value to 1, which is the highest value that takes precedence over all other settings.

That is it! Very simple and very cool. This way we can assign certain password policies to users without building complicated GPOs, OU structures and so forth. Enjoy!

Read 140 times
Dylan Austin

About:

Whenever I have a problem, I sing. Then I realize my voice is worse than my problem.

Top
We use cookies to improve our website. By continuing to use this website, you are giving consent to cookies being used. More details…