Creating fine-grained password policies
Before you can create fine-grained password policies for a
domain, you must ensure that the domain functional level is Windows
Server 2008 or newer. This can be done using either ADAC or Windows
PowerShell as described in the previous topic in this lesson.
Note
Domain functional level
Domain Admin credentials or greater are required to raise
the domain functional level for a domain.
Fine-grained password policies for a domain are stored in the
Password Settings Container, which is found under System, as shown
in Figure 3.
To create a new fine-grained password policy using ADAC,
follow these steps:
-
Display the Password Settings Container either in the
navigation pane or management list pane.
-
Right-click on the Password Settings Container, and select
New. Then select Password Settings.
-
Fill in the appropriate information on the Create Password
Settings properties page, shown in Figure 4.
-
Click Add, and locate the group or groups you want the
policy to apply to. Then click OK to create the new
policy.
-
Repeat the preceding steps to create additional
fine-grained password policies as needed for your
environment.
Note
Using Windows PowerShell to manage fine-grained password
policies
You can also use Windows PowerShell to create, modify, or
delete fine-grained password policies for your domain. For
example, you can use the New-ADFineGrainedPasswordPolicy cmdlet to
create a new fine-grained password policy. You can also use the
Set-ADFineGrainedPasswordPolicy cmdlet to modify an existing
fine-grained password policy. And you can use the
Remove-ADFineGrainedPasswordPolicy cmdlet to delete a fine-grained
password policy that is no longer needed in your environment. Use
the Get-Help cmdlet to display the syntax and examples for each of
these cmdlets.
Viewing the resultant password settings for a user
You can also use ADAC to view the resultant password settings
for users in a domain. This is useful both for ensuring that you
have created and assigned fine-grained password policies as you
intended for your environment and also for troubleshooting problems
with policies not being applied as expected.
To view the resultant password settings for a particular user,
first locate the user in Active Directory either by browsing using
the navigation pane or by using the Global Search tile. Then
right-click on the user account and select View Resultant Password
Settings as shown in Figure 5. The
fine-grained password policy that displays is the one that applies
to the user who has the lowest precedence value.
Note
Using Windows PowerShell to view the resultant set of
policies
You can also use Windows PowerShell to view the resultant
password settings for a user. You can do this using the
Get-ADUserResultantPasswordPolicy cmdlet. Use the Get-Help cmdlet
to display the syntax and examples for this cmdlet.
