Fine Grain Password Policy
In this post we are going to test Fine Grain Password Policy
(FGPP) use and it is limitations.
When Microsoft lunched directory service 2000 and 2003,
there is only one password policy for entire domain, we can’t separate them as
per our environment requirement.
To resolve this issue Microsoft has enhanced their password
policy to their later versions from 2008 onwards called FGPP (Fine Grain
Password Policy),
To enable this policy on Windows 2008, your functional level
should be 2008.
In my test lab I have created 2012 server and promoted
domain controller as 2012test.local and created two OU , AdminUsers for Users
and Groups and AdminComputer for Computer accounts.
My default domain controller password policy configure like
below.
I have created new password policy for my Desktop Admin
Group like below, those who are belongs to Desktop admin group the below
password policy will apply to them.
Note
1)
Precedence would specify which policy is taken
effect to users, lowest one is always wins, if there is same precedence in two
PSO something would win.
2)
By default when users attempt to login, which
policy will taken effect. If user is member of any PSO policy, the PSO will taken
effect.
3)
PSO can
be configure to User or Group , if there is conflict User PSO will taken
effect.
Limitations:
FGPP is domain based
PSO cannot apply to OU, Universal Group and Domain Local.
If the PSO applied to Global Group, the policy will applied
to user.
Somehow, the group scope converted to Universal, what would
be the result?
The PSO ignored and default domain password policy will
taken effect.
But PSO still remain the group, but it will not apply to
users.
The PSO does not support to Domain Local as well .
