For years, we’ve all come to accept that everyone in an organization is bound by the same password policy. Our Active Directory Domain default password policy was the master of everyone’s password settings. We’ll let me let you in on a little secret…It’s not true, a company can have multiple password policies! You could get as granular as you want. Maybe all system admins have a stronger policy than the rest of the company, Email only accounts have a more relaxed policy, and we let service accounts have passwords that only change once a year but have to have a 20 character password.
What? You haven’t heard about this yet? You’re not alone, many IT, Security, and Audit professionals haven’t either. What I’m talking about is what Microsoft calls Fine Grained Password Policies. Starting with Windows 2008, Active Directory Domains running with functional level of Windows 2008 or higher have the ability to create fine grained password policies, or simply put you can add multiple password policies to a single domain.
So why, this many years later, is fine grained password policies still relatively unknown and not implemented? We’ll for starters when Microsoft first introduced this feature in Windows 2008, they didn’t exactly make it simple to implement. If you are/were running a Windows 2008 environment in order to implement a new password policy you had to use the ASDI editor to customize a new fine grained password policy. The process, while not crazy hard, wasn’t point in click either. Secondly, The built in tools for reviewing password policies do not show you any fine grained password policies. If you were an IT auditor, or security administrator it was not clear that these policies were possible, let alone in place!
In Windows 2012, Microsoft introduced an easier to use GUI front end to make the process of setting up fine grained password policies easier. This increased use but still didn’t make audit and review of password policies any easier. It was still very difficult to review an Active Directory environment for fine grained password policies.
What are some of the details for Fine Grained Password Policies?
- Fine Grained Password Policies can be applied at the user or group level
- Fine Grained Password Policies can not be applied directly to an AD OU.
- A user who has multiple password policies applied to them will use the policy that has the highest priority.
- Management of Fine Grained Password Policies is done through Active Directory Administrative Center and/or Windows PowerShell Normal password management and reporting tools will not show any password policies outside of the default domain policy.
So, how do I know if my organization is using Fine Grained password policies and what users they apply to? Well, Powershell of course! If you use the Active Directory Module within Powershell you are granted the Get-ADFineGrainedPasswordPolicy. A simple query as an Administrator will pull down all of the fine grained password policies (if any).
Once you identify the Fine Grained Password Policy you’ll want to ensure that the appropriate policy is being applied. This is done by the precedence number and the lowest number wins in the case that a user is in two groups.
Not ready to pull this data yourself? Don’t worry our AD Auditor Tool will pull this for you and put it in an easy to understand report!