Before Windows Server 2008, passwords were only managed via the Default Domain Policy GPO. So only one password policy was possible without do-it-yourself. With Windows Server 2008, Microsoft introduces Password Settings Object (PSO) that enables to apply Fine-Grained password policy linked to users or groups object. However in Windows Server 2008, PSO could only be created with PowerShell command. In Windows Server 2012, Microsoft introduces a new GUI to manage Active Directory called ADAC (Active Directory Administrative Center). ADAC enables to create PSO with graphical interface.
Password Settings Object
A Password Settings Object (PSO) is an Active Directory object. This object contains all password settings that you can find in the Default Domain Policy GPO (password history, complexity, length etc.). A PSO can be applied to users or groups. When PSO is applied on some users, there are no longer using password policy from Default Policy Settings GPO. Instead they use the PSO settings.
Because PSO can be applied to a group, a user can be linked to two PSO. However only one PSO can be applied to users. So in this case an RSoP (Resultant Set of Policy) must be calculated to apply one PSO. The RSoP calculation is based on a PSO parameter called Precedence which is a number. The PSO with the lowest number win and is applied. So the lowest Precedence number is always applied.
By default only domain administrators can create and read PSO because only these accounts can create and write object in the Password Settings Container. However only write delegation on users and groups enables to apply PSO.
Deploy Fine-Grained Password Policy
I have created three users in my Active Directory:
- Glen Moray that belongs no group;
- John Jameson that belongs PSO-Standard Users group;
- Jack Daniel that belongs to PSO-Standard-Users and PSO-PasswordOfTheDeath groups.
Password Settings Object creation
First open ADAC from Server Manager and Tools menu.
Click on your Domain (mine is called Fabrikam.com) to list containers in your domain. Click on System Container.
In System container, you should have the Password Settings Container. Click on it and select New on the right.
On the PSO creation screen, you can see the password policy parameter such as password length, password history, maximum age, complexity etc. There is also the Precedence parameter. As you can see on below screenshot, I have applied PSO to PSO-Standard Users group. For these examples, I have removed the minimum password age to validate just after account creation my PSO. If I leave this setting to 1 day, I have to wait tomorrow to change password …
Next I create a stronger password policy that I applied to the PSO-PasswordOfTheDeath group.
After PSO creation you can double click on the Password Settings Container to view your PSO. On the below screenshot, you can see that my SuperSecure Password PSO has a stronger precedence.
To view the RSOP and so the PSO that will be applied to users, open your OU where are stored your users object and select an account as below. Click on View Resultant Password Settings on right.
Remove default password policy on Active Directory
To validate my test, I remove the default password policy managed by the Default Domain Policy GPO. Open Group Policy management console, and edit the Default Domain Policy.
Open Software Settings, Windows Settings, Security Settings, Account Policies and Password Policies. Set these policies as below.
First test: user without password policy
My First user called Glen Moray belong no group. So no password policy is applied to this account. To test that, I change the password to aaa as below:
Because no password policy is applied to this account, the password has been changed successfully.
Second test: User with standard users PSO
The user John Jameson is linked to the Standard Users PSO. A 8 chars complex password is required. So I try the aaa password:
Because the PSO is applied, the password can’t be applied because it does not meet the requirement related to the PSO.
So I try a complex password more than 8 chars:
The password meets the PSO requirement so it has been changed successfully.
Third test: User with SuperSecure Password PSO
Now I try Jack Daniel user. This user is a member of all my PSO group. But because SuperSecure Password PSO has the strongest precedence, this is this last that will be applied. Let’s try to validate this assumption. I try the same password than John Jameson user:
Because this password doesn’t meet the SuperSecure Password PSO requirement, the password can’t be changed.
So I generate a strong password with this tool.
Next I Past it to the reset password wizard:
And it is work !
Fine-Grained Password Policy is a great feature that enables to apply different password policies in your domain. For example you can apply a different password policy to administrator, to standard user and to service account. You are no longer forced to use only one password policy. Now that Microsoft has introduced the Active Directory Administrative Console (ADAC), Password Settings Object can be managed easily. So why continue to live without?