Updates from QA Training

Windows Server 2012 Fine Grained Password Polices

Windows Server 2008 introduced the Fine Grained Password Policy feature which allowed different password policies to be deployed against different groups or users within Active Directory. Windows Server 2012 adds a user interface to now manage and monitor these policies.


Paul Gregory | 12 September 2012

Windows Server 2008 introduced the Fine Grained Password Policy feature which allowed different password policies to be deployed against different groups or users within Active Directory. Windows Server 2012 adds a user interface to now manage and monitor these policies.

If you are not familiar with Fine Grained Password Policies I personally see these as a must enable feature for almost all organizations that use Active Directory.

Before Windows Server 2008 only one password policy can exist within an Active Directory domain set against the domain object. If you had users that needed different password polices maybe for security or compliance reasons an additional domain had to be created for those user objects.

This causes a fundamental security issue, How can an organization be secure if the receptionist, the enterprise administrator and a temporary employee are all tide to the same password policy, normally the lowest (read weakest) options come into effect. With Windows Server 2008 password policies can now be attached to any user or group of users, most people ask at this point 'Can I attach a policy to an Organization Unit?' and the answer is no but you can create what we call a shadow group where the members of the OU and the Group are kept the same, and this could be automated using DS commands or PowerShell (maybe another blog coming up).

However in Windows Server 2008 these was no pleasant UI to manage these settings. It was all down through ADSIEDIT or ADUC in a very unfriendly way (PowerShell was also available). With Windows Server 2012 the Fine Grain Password Policies can now be managed using a dedicated UI for this feature. The UI elements have been added like so many other parts to the Active Directory Administrative Center.

One behaviour to always watch for with Fine Grained Password Policies is if you use both policies applied to users and to groups a user will password policy will always override a group password policy.

Please watch this video to see it in action, or attend a training course on Windows Server 2012  @QATraining


QA Training | Paul Gregory

Paul Gregory

Head of Microsoft Infrastructure

A Microsoft Certified Trainer since 1995, Paul has worked both for and with some of the world's leading IT Services organisations – including Unisys, Dell and Microsoft during the Microsoft Windows (TAP) Technology Adoption Programme. Paul specializes in delivering training around the Windows Operating system as well infrastructure and management solutions around System Center going right back to SMS 1.0. Paul is a frequent visitor to Microsoft's Global Headquarters in Seattle to attend early product workshops and for many years has delivered training courses around the world on behalf of Microsoft. In addition to being actively involved in Microsoft's Windows TAP programme, Paul has recently delivered both Microsoft's Private Cloud 2012 readiness training to partners in the UK and was a member of the Microsoft global training team delivering Windows Server 2012 early adopter training. During recent years Microsoft has requested Paul to deliver System Center training at both Redmond and The South American head office to Microsoft Partners.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.