24 Jan 2013

New features in Active Directory Domain Services in Windows Server 2012, Part 7: Fine-grained Password Policy GUI

Microsoft introduced the concept of Fine-grained Password Policies in Active Directory back in Windows Server 2008. From that day on, Active Directory admins could granularly roll out Password and Account Lockout Policies to groups and individual users. It was, however, such a painful experience, that many books suggested to use the free SpecOps Password Policy Basic tool to set fine-grained password policies, instead of using the built-in PowerShell commands.

What's New

Now, in Windows Server 2012, the Active Directory team has finally created a Graphical User Interface (GUI) for Fine-grained Password Policies. Just as the Active Directory PowerShell History Viewer and the Active Directory Recycle Bin, it's part of the Active Directory Administrative Center.

Note:
There are no changes under the hood for Fine-grained Password Policies. These policies are still only applicable to user objects and groups, not OUs.

Creating a Fine-grained Password Policy in the GUI

If you want to, you can create a Fine-grained Password Policy without a link within the Active Directory Administrative Center. For this purpose, open the Active Directory Administrative Console, using an account with sufficient permissions to create Fine-grained Password Policies.

In the left navigation pane, head to the System container under the domain root and from there drill deeper until you reach the Password Settings Container. This is where Fine-grained Password Policies live in Active Directory:

ADACFGPPContainer

Now, you can use the New and then Password Settings commands from the task pane on the right, or simply right-click within the middle pane and make the same selections from the context menu to create a Fine-grained Password Policy.

ADACCreateFGPPinContainer

In the Create Password Settings screen, you can give the Fine-grained Password Policy a meaningful name and a Precedence. (both fields are mandatory.)

Tip!
Precedence allows you to give Fine-grained Password Policies priority over other Fine-grained Password Policies. Fine-grained Password Policies applied to users directly always take precedence over Fine-grained Password Policies  applied to groups the user is a member of. If you work with multiple Fine-grained Password Policies, make sure the most important ones have value 1.

In the Directly Applies To section you can specify groups and/or users that will be subject to this Fine-grained Password Policy.

Assigning a Password Policy to a user in the GUI

To assign a Fine-grained Password Policy directly to a user, open the properties of a user account in the Active Directory Administrative Center. In the left pane, select Password Settings. Use the Assign… button to select a Fine-grained Password Policy:

Assign a Fine-grained Password Policy to a user in the Active Directory Administrative Center (click for larger screenshot)

Use the Check Names functionality to make picking easier and click OK when done.

Assigning a Password Policy to a group in the GUI

Assigning a Fine-grained Password Policy to a group is as straight-forward as assigning a Fine-grained Password Policy to a user. Open the properties of a group, scroll down to the Password Settings, or click it in the left pane and add/remove Password policies, as you seem fit:

Assign a Fine-grained Password Policy to a group in the Active Directory Administrative Center (click for larger screenshot)

View resultant password settings for a user

If, at any time, you're unclear which Fine-grained Password Policy applies to a user, use the built-in capabilities of the Active Directory Administrative Center to view the resultant password settings. For this feature, simply right-click a user, and select View resultant password settings… from the context menu:

ADACResultantPasswordSettings

This command will open the applied Fine-grained Password Policy for the user object.

No comments:

Post a Comment