How To Configure Fine Grained Password Policy on Windows Server 2012

in #technology6 years ago

In specific scenarios there may be a requirement for Administrators to create user accounts which do not comply with the password policies set by the domain. A feature was released in server 2008 which allowed administrators to do just that, this was and still is called "Fine Grained Password Policy" and in this post i will show you how to configure it.

Before we run through the guide i just want to go over a brief example of where this can be used. Many System Administrators setup Radius Authentication on windows servers which will only allow devices onto the network which able to authenticate against active directory, which is fine, the issue arises however when we need IP Phones to also connect through this network.

To resolve this we need to create a user account for each phone and set a password which will allow them through but most IP phones can only use the username of its mac address and the password of its mac address which most password polices would block, this is a perfect scenario for a Fine Grained Password Policy.

The first thing we need to do is to create a security group in active directory and add the necessary users to this group.

Once that has been created you will need to head over to "Active Directory Administrative Center" this can be found in server manager (screenshot below).

Once in the Administrative Center click on the icon shown below and then scroll down to the System container and then expand that and select Password Settings.


Then right click in the blank area and select new password settings.

The screenshot above is the configuration window where you can define your specific password settings such as maximum password length , age or level of password complexity. so you can actually completely disregard these and have no policy restricting these accounts at all !

Once you have defined your settings it is worth checking the "Protect from Accidental Deletion option" , and also select a "precedence" especially if you are going to be using multiple fine grained policies.

Then in the bottom section you just need to select "add" and then specify your desired group, this can also be done for single users.

Please Share to give the blog more exposure.

Any recommendations for tutorials let me know by commenting below