Active Directory Password Policies

Brian St. Marie - Sr. Systems Engineer

Oftentimes, users have a hard time adapting to new password policies on their network.  Perhaps they are running an older version of Windows server or don't have a domain at all and use blank passwords or very simple passwords.  Once they move to a Windows 2003 or 2008 network, they find their old passwords are no longer acceptable.  Most times, users adapt and begin using more complex passwords, but sometimes users want to stick with their old password policy or modify the security level provided by the default Windows policy.  Unfortunately, this is not as easy as it may seem.

In a standard Windows 2008 or 2003 domain, the password policy is pre-defined in the Default Domain Policy Group Policy Object.  This policy is reasonably good for most configurations, though circumstances may vary from organization to organization.  Unfortunately, while you can create new GPOs and configure password policy settings in them, they will have no effect.  The only way to change the password policies of the domain is by editing the Default Domain Policy.  In fact, even if you set the Default Domain Policy password options all to "Not Defined", the standard Active Directory defaults will remain; you must define all the values for any changes to take effect.

This has long been a limitation of Active Directory and newer versions of Windows have not adequately provided alternatives.  In particular, some organizations wish to have multiple password policies, defining different restrictions and requirements for different sets of users.  This has never been possible until Windows 2008.

While common sense would lead you to believe you could simply create new GPOs with custom password policies and assign those to the appropriate Organizational Units, this does not work.  Instead, Microsoft has created an entirely new system specifically for multiple password policies.  This system is is known as Fine Grained Password Policies.  The basic process involves adding a new Active Directory object, known as a Password Settings Object (PSO), into a new container, known as the Password Settings Container (PSC).  The steps necessary to do this are complex and involve using ADSIEdit to manually create the new objects.  Microsoft provides a step-by-step explanation of the process (here)