19.2 Configuring Fine-Grained Password Policy

Fine-grained password policy feature is available with schema 2012 level. It enables user level configuration of password policies. For fine-grained password policy to work in a domain, all domain controllers must be upgraded to OES 2018 or later.

You can use the fine-grained password policy feature to:

  • Set multiple password policies within a single domain for a particular user.

  • Apply password restrictions and account lockout policies to set of users in a domain.

19.2.1 Restrictions

  • Policy can be applied only to user objects (or inetOrgPerson objects if they are used instead of user objects).

  • By default, only members of the Domain Admins group can set fine-grained password policies.

  • Fine-grained password policy cannot be applied to an organizational unit (OU) directly.

  • Fine-grained password policies do not interfere with custom password filters that you might use in the same domain.

19.2.2 Creating the Fine-Grained Password Policy

During the schema extension to AD 2012 level, the script creates the Password Setting Container under the System container in the domain. The fine-grained password policy or Password Setting Object (PSO) can be created in the Password Setting Container.

  1. Log in to one of your domain controllers, click Start > Run, and enter mmc.

  2. In the File menu, select Add/Remove Snap-ins.

  3. Select ADSI Edit from the list, click Add > OK.

  4. Right-click ADSI Edit and click Connect to.

  5. Expand the tree view, right-click Password Setting Container, then select New > object.

  6. In the Create Object dialog box, select the class msDS-PasswordSettings and click Next.

  7. Specify the name of the Password Setting Object in the Value field and click Next.

  8. Specify the value for each of the following attributes and click Next after setting the value for each attribute.

    • msDS-PasswordSettingsPrecedence - represents the priority of the policy over other policies. The value of the precedence must be set between 1 and 10. When multiple policies are applied on a single user, the policy with lower precedence value takes the highest priority. It is recommended to create policies with different precedence value. If there are two different policies with the same precedence value, then the GUID of the object validates the effectiveness of the policy. The smaller the GUID, higher the effectiveness.

    • msDS-PasswordReversibleEncryptionEnabled - set the value to false, unless you want to save the eDirectory passwords in a reversible format.

    • msDS-PasswordHistoryLength - set the number of passwords to be remembered for the user account.

    • msDS-PasswordComplexityEnabled - set the value to True, if you want the password to be complex for the user account, else set it to False.

    • msDS-MinimumPasswordLength - set the minimum length of the password for the user account.

    • msDS-MinimumPasswordAge - set the duration (DD:HH:MM:SS) within which the password cannot be changed. For example, 1:00:00:00 for one day. If you want to allow changing of password soon after it is set, set the value of this attribute to its default value (none).

    • msDS-MaximumPasswordAge - set the duration (DD:HH:MM:SS) you want the password to be valid before expiring. For example, 14:00:00:00 for 14 days.

    • msDS-LockoutThreshold - set the number of trials a wrong password is allowed before the account gets locked. Setting this attribute to a low value may result to an account lockout storm. Any existing users with wrongly cached passwords might lockout quickly.

    • msDS-LockoutObservationWindow - set the duration to be passed before the locked user account gets automatically unlocked.

    • msDS-LockoutDuration - set the duration that the account should be in locked state after it gets locked.

  9. Click Finish.

19.2.3 Setting the Password Policy on the User

  1. Right-click the fine-grained password policy or Password Setting Object (PSO) created in the console tree and click Properties.

  2. Select the attribute msDS-PSOAppliesTo, then click Edit.

  3. Click Add Windows Account.

  4. To apply the PSO on users, specify the users and click OK > OK > Apply.

    You can verify that the msDS-PSOAppliesTo attribute contains an SID value.