Active Directory Fine Grained Password Policy (Part 1)

The Objective of this document is to show the implementation steps for Windows 2008 R2 Active Directory features like Fine Grained Password Policy. 

I have divided the post in 2 parts:-
Part 1 – How to Create Fine Grained Password Policy
Part 2 – How to Apply PSO to User or Group


How to Create Fine Grained Password Policy:

Step 1: Under Administrator Tools Open ADSI Edit and connect it to a domain and domain controller you want to setup the New Password Policy.
Step 2: Double click on the “CN=DomainName” then double click on “CN=System” and then double click on “CN=Password Settings Container”.



Step 3: Right click on “CN=Password Settings Container” and then click on “New” then “Object…”



Step 4: Click on “Next”



Step 5: Type the name of the PSO in the “Value” field and then click “Next”



Step 6: Type in a number that will be the Precedence for this Password Policy then click “Next”.
Note: This is used if users have multiple Password Settings Object (PSO) applied to them.



Step 7: Type “FALSE” in the value field and click “Next”
Note: You should almost never use “TRUE” for this setting.



Step 8: Type “24” default value else ING standard in the “Value” field and click “Next”



Step 9: Type “TRUE” in the “Value” field if you want to set complex password else “False” and click “Next”



Step 10: Type ING standard password length in the “Value” field and click “Next”



Step 11: Type “5:00:00:00” in the “Value” field and click “Next”
Note: This value determines the minimum period before which user cannot change the Password in DD:HH:MM:SS format.



Step 12: Type “30:00:00:00” in the “Value” field and click “Next”
Note: This value determines the Password Expiry Duration in DD:HH:MM:SS format.

Step 13: Type “3” in the “Value” field and click “Next”
Note: This value determines the maximum attempts before account lockout.



Step 14: Type “0:00:30:00” field and click “Next”
Note: This value determines the observation duration between each wrong password attempts in DD:HH:MM:SS format.
Step 15: Type “0:01:00:00” in the “Value” field and click “Next”
Note: This value should be greater than “Observation Window for Lockout of User Accounts” Value.



Step 16: Click “Finish”




You have now created the Password Settings Object (PSO) and you can close the ADSIEdit tool.

2 thoughts on “Active Directory Fine Grained Password Policy (Part 1)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s