Active Directory Fine Grained password Policy

When we used windows 2000 and windows 2003 domain we could use only one password policy(Password complexity settings, account lockout settings) with our domain. It was using default domain policy. But windows 2008 onwards we can use multiple password policies with our domain. We can use adsiedit or active directory PowerShell module for creating new password policy objects. With this example im using windows 2008 R2 with powershell for creating new password policy.

1.New-ADFineGrainedPasswordPolicy   This commandlet we can use for create new password policy.

New-ADFineGrainedPasswordPolicy –Name “Branch 01 PSO” –Precedence 500 –ComplexityEnabled  $False –Description “This password policy for Branch office” –DisplayName “Branch01 PSO” –LockoutDuration “0.12:00:00” –LockoutObservationWindow “0.00:15:00” –LockoutThreshold 10 –MinPasswordLength 4

Accroding to the this example this password policy creating for the users those who are in one of branch office. Minimum password policy for them are 4 letters, also complexity is disabled. It means they can use just simple passwords like 1234.


Once we create this policy we can apply this password policy for user or user group. Therefore we can use Add-ADFineGrainedPasswordPolicySubject commandlet.

in this example we applying this policy(Branch01 PSO) for user group Branch01-users.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.