Fine grained password policies for Windows Server 2008 Active Directory Domain Services

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Another new feature in Windows Server 2008 Active Directory Domain Services is that (at long last) it’s now possible to apply multiple password policies within a single domain using a new feature called fine grained password policies. Now PINs can be used for mobile device access and complex passwords for conventional form factor devices without requiring separate domains, third party software or writing a custom password filter DLL.

The fine grained password policies are user and group based (i.e. not per-OU – in order to avoid extra domain load during login) and multiple policies can be applied; however, the new functionality involves a complex administrative process and there is no GUI yet (although the password settings container can be found if Advanced Features are enabled in Active Directory Users and Computers). Fortunately, Joe Richards has written PSOMgr (a command line tool to manage fine grain password policy password settings objects) and Christoffer Andersson has a similar tool with MMC/PowerShell interfaces.

One thought on “Fine grained password policies for Windows Server 2008 Active Directory Domain Services

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.