Chapter 12. Fine-Grained Password Policies

Undoubtedly, one of the most exciting new features in Windows Server 2008 Active Directory was the introduction of a feature called fine-grained password policies (FGPPs). Prior to FGPPs, domain account policies (password and lockout policies, specifically) could only be set on a per-domain basis. If you had a requirement to have separate password-complexity requirements for different sets of users, you could either deploy a third-party password filter or deploy additional domains. Fine-grained password policies solve both of these issues within a single domain and are immediately available once your domain is running at the Windows Server 2008 or better domain functional level.

12.1. Understanding Password Settings Objects

Fine-grained password policies you create are represented by password settings objects (PSOs) within Active Directory. PSOs are standard Active Directory objects and are stored under the System container in the domain partition.

Fine-grained password policy functionality is available beginning with Windows Server 2008, and as such, Windows Server 2003 and earlier versions of Windows domain controllers are not capable of enforcing this functionality. FGPPs become available once the domain is running at the Windows Server 2008 or better domain functional level. While you can create and manage PSOs before your domain is running at this functional level, the policies will have no effect on users.

The easiest ways to manage PSOs ...

Get Active Directory, 5th Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.