Active Directory Fine Grained password Policy

When we used windows 2000 and windows 2003 domain we could use only one password policy(Password complexity settings, account lockout settings) with our domain. It was using default domain policy. But windows 2008 onwards we can use multiple password policies with our domain. We can use adsiedit or active directory PowerShell module for creating new password policy objects. With this example im using windows 2008 R2 with powershell for creating new password policy.

1.New-ADFineGrainedPasswordPolicy   This commandlet we can use for create new password policy.

New-ADFineGrainedPasswordPolicy –Name “Branch 01 PSO” –Precedence 500 –ComplexityEnabled  $False –Description “This password policy for Branch office” –DisplayName “Branch01 PSO” –LockoutDuration “0.12:00:00” –LockoutObservationWindow “0.00:15:00” –LockoutThreshold 10 –MinPasswordLength 4

Accroding to the this example this password policy creating for the users those who are in one of branch office. Minimum password policy for them are 4 letters, also complexity is disabled. It means they can use just simple passwords like 1234.


Once we create this policy we can apply this password policy for user or user group. Therefore we can use Add-ADFineGrainedPasswordPolicySubject commandlet.

in this example we applying this policy(Branch01 PSO) for user group Branch01-users.