Fine Grained Passwords
Windows 2008

When you want to make use of fine grained password you should take the following in mind:
Configuring Fine-Grained Passwords
Fine-grained passwords can be implemented by following these tasks:

  • Raise the DC domain controller to Windows Server 2008 DFL (if not already raised)
  • Run adsiedit.msc
  • Connect to the naming context
  • Expand <Domain> | System | Password Settings Container
  • Right-click & create Object
  • Enter values

Attribute Value
CN MyFineGrainedPasswordSettings (or whatever you want)
msDS-PasswordSettingsPrecedence 10
msDS-PasswordReversibleEncryptionEnabled False
msDS-PasswordHistoryLength 15
msDS-PasswordComplexityEnabled True
msDS-MinimumPasswordLength 12
msDS-MinimumPasswordAge -1296000000000
msDS-MaximumPasswordAge -82944000000000
msDS-LockoutThreshold 0
msDS-LockoutObservationWindow -18000000000
msDS-LockoutDuration -18000000000
Note: the values that start with a negative value (“-“) are Integer 8 values of nanoseconds. The values
you see above are generally default level values. Adjust to your own requirements.
Now, you will need to configure a specific user or group to use the above password policy. Let’s
configure this on TucsonUser01.

  • Open Active Directory Users and Computers
  • View | Advanced Features
  • Expand <Domain> | System | Password Settings Container
  • Open CustomPassword properties
  • Edit msDS-PSOAppliesTo attribute
  • Add DallesUser01

To use a tool for this take a look at Specops
Windows 2008

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License