Managing Active Directory Fine-Grained Password Policies with PowerShell

Before Windows Server 2008, Active Directory password policies were done with default domain group policy, and there could only be one policy for an entire Active Directory domain. This is very limiting if users would like to give different policies to different users, which is a fairly common task to do.

With Windows Server 2008 came the feature of fine-grained policies. These were policies created outside of group policy that can then be set to a DN, GUID (Globally Unique Identifier), or name. These are managed either in the Active Directory Admin Center or in PowerShell with the ActiveDirectory module.

Creating a Fine-Grained Policy in PowerShell

First, to understand AD fine-grained policies, there are two entities to understand, policies and subjects. The policy is self-explanatory as it is the settings for the policy itself. The subject, however, is a bit of weird terminology, but it means the users or groups you want to apply the policy to. So there are two steps, creating the policy and then applying it to a user or group.

To create a fine-grained policy, we use the New-ADFineGrainedPasswordPolicy. Here, I create a policy called ’12 char’ which means the minimum password length must be 12 characters. Note I set the precedence to 500.

C:\> New-ADFineGrainedPasswordPolicy -MinPasswordLength 12 -Description '12 char' -DisplayName '12 char length' -Name '12 char' -Precedence 500

Now, I apply the policy to a subject using the Add-ADFineGrainedPasswordPolicySubject. I use the distinguished name of an account ‘testdan’ and retrieve that using the Get-ADUser cmdlet:

 C:\> Add-ADFineGrainedPasswordPolicySubject -Identity '12 char' -Subjects (Get-ADUser testdan | select distinguishedname)

Displaying Fine-Grained Policies in PowerShell

To view existing AD fine-grained policies, the Get-ADFineGrainedPasswordPolicy cmdlet is used. The main parameter that is used to lookup a policy is the –Identity parameter. Here I pass the name of the policy to view its contents:

C:\> Get-ADFineGrainedPasswordPolicy -Identity '12 char'

 

AppliesTo                   : {CN=testdan,OU=Clients,DC=domain,DC=com}

ComplexityEnabled           : True

DistinguishedName           : CN=12 char,CN=Password Settings Container,CN=System,DC=domain,DC=com

LockoutDuration             : 00:30:00

LockoutObservationWindow    : 00:30:00

LockoutThreshold            : 0

MaxPasswordAge              : 42.00:00:00

MinPasswordAge              : 1.00:00:00

MinPasswordLength           : 12

Name                        : 12 char

ObjectClass                 : msDS-PasswordSettings

ObjectGUID                  : ae32d5e5-ad80-4dbf-bffb-dd92305159b1

PasswordHistoryCount        : 24

Precedence                  : 500

ReversibleEncryptionEnabled : True

Modifying or Removing Fine-Grained Policies in PowerShell

To modify an existing policy, the Set-ADFineGrainedPasswordPolicy cmdlet is used. You can modify any setting in a policy. Here, I change the precedence to 1 and enable protecting the policy from accidental deletion by setting it to $True:

C:\> Set-ADFineGrainedPasswordPolicy -Identity '12 char' -Precedence 1 -ProtectedFromAccidentalDeletion:$True

Finally, to remove a policy we created, we use the Remove-ADFineGrainedPasswordPolicy cmdlet:

C:\> Remove-ADFineGrainedPasswordPolicy -Identity '12 char'

Conclusion

Active Directory fine-grained policies ultimately enable IT to make password policies granular and agile to their needs. This means, for instance, you can make policies for sensitive accounts much more secure and normal end users have less strict policies. Using PowerShell, you can easily roll out policies to users and groups quickly with the set of cmdlets in the ActiveDirectory module.