MS Fine-Grained AD Password Policies

The default domain GPO is used to set the password policy in an Active Directory environment. However, according to MS only one GPO is allowed within a domain to be set when dealing with password policies. MS created Fine-Grained password policies to allow for additional password policy settings where required. This may be set via PowerShell commands or using the Active Directory Administrative Center (ADAC) tool.

A few cravats:

Fine-Grained password policies can be applied to user objects and global security groups.  If you need to apply the Fine-Grained password policy against an OU, “shadow” groups are required to be applied to the OU. A shadow group can only be applied to one OU and if a user is moved between OU’s, the shadow group membership must also be changed.

There are several methods in which the new policy can be created, such as ADSI.exe, but this will only cover the more common methods of creation.

Create a New Fine-Grained Password Policy via GUI

Open Active Directory Administrate Center (ADAC) as admin:

Server Manager -> Tools -> Active Directory Administrate Center

Or open PowerShell as admin:



Manage -> Add Navigation Modes

In the “Add Navigation Modes window”:

System -> Password Settings Container -> click the double arrow button to add it to the navigation pane -> OK

Create a new password policy:

Select System-Password-Container -> New (under Tasks) -> Password Settings

Enter the appropriate password policy information. Note the name that you give it and set a precedence such as “1”. Under “Directly Applies To”, add the desired security group that the new policy will be applied against.

Fine-Grained Password Policies Using PowerShell

As always, see PowerShell Help for more detailed information than may be shown here. Open Powershell as admin.

To view all policies (or get a policy name):

Get-ADFineGrainedPasswordPolicy -Filter "*"

To view a single policy:

Get-ADFineGrainedPasswordPolicy -Identity "<policy name>"

To view all properties in a policy:

Get-ADFineGrainedPasswordPolicy -Identity "<policy name>" -Properties *

To view detailed properties information:

Get-ADFineGrainedPasswordPolicy -Identity "<policy name>" -Properties * | Get-Member

To view the group affected by the Fine-Grained Password Policy (can also be seen in the above commands):

Get-ADFineGrainedPasswordPolicySubject -Identity "<policy name>"

To Create a new policy:

New-ADFineGrainedPasswordPolicy "<policy name>" -ComplexityEnabled:$true  -MaxPasswordAge:"90.00:00:00" -MinPasswordAge:"1.00:00:00" -MinPasswordLength:"12" -PasswordHistoryCount:"24" -Precedence:"1" -ReversibleEncryptionEnabled:$false -ProtectedFromAccidentalDeletion:$true

Apply a security group to a policy

Add-ADFineGrainedPasswordPolicySubject "<policy name>" -Subjects "<group name>"

Check the RSOP for the password policy for a user in the group:

Get-ADUserResultantPasswordPolicy "<user name>"

You can also edit and delete a policy using PowerShell.  Look em up. In both PowerShell and ADAC the “Protect from accidental deletion” property must be changed before deletion can take place.