Paul Gregory | 12 September 2012
Windows Server 2008 introduced the Fine Grained Password Policy feature which allowed different password policies to be deployed against different groups or users within Active Directory. Windows Server 2012 adds a user interface to now manage and monitor these policies.
If you are not familiar with Fine Grained Password Policies I personally see these as a must enable feature for almost all organizations that use Active Directory.
Before Windows Server 2008 only one password policy can exist within an Active Directory domain set against the domain object. If you had users that needed different password polices maybe for security or compliance reasons an additional domain had to be created for those user objects.
This causes a fundamental security issue, How can an organization be secure if the receptionist, the enterprise administrator and a temporary employee are all tide to the same password policy, normally the lowest (read weakest) options come into effect. With Windows Server 2008 password policies can now be attached to any user or group of users, most people ask at this point 'Can I attach a policy to an Organization Unit?' and the answer is no but you can create what we call a shadow group where the members of the OU and the Group are kept the same, and this could be automated using DS commands or PowerShell (maybe another blog coming up).
However in Windows Server 2008 these was no pleasant UI to manage these settings. It was all down through ADSIEDIT or ADUC in a very unfriendly way (PowerShell was also available). With Windows Server 2012 the Fine Grain Password Policies can now be managed using a dedicated UI for this feature. The UI elements have been added like so many other parts to the Active Directory Administrative Center.
One behaviour to always watch for with Fine Grained Password Policies is if you use both policies applied to users and to groups a user will password policy will always override a group password policy.