Thursday, 17 September 2015

Fine Grain Password Policy

Fine Grain Password Policy

In this post we are going to test Fine Grain Password Policy (FGPP) use and it is limitations.

When Microsoft lunched directory service 2000 and 2003, there is only one password policy for entire domain, we can’t separate them as per our environment requirement.

To resolve this issue Microsoft has enhanced their password policy to their later versions from 2008 onwards called FGPP (Fine Grain Password Policy),

To enable this policy on Windows 2008, your functional level should be 2008.


In my test lab I have created 2012 server and promoted domain controller as 2012test.local and created two OU , AdminUsers for Users and Groups and AdminComputer for Computer accounts.







My default domain controller password policy configure like below.










I have created new password policy for my Desktop Admin Group like below, those who are belongs to Desktop admin group the below password policy will apply to them.

Note

1)      Precedence would specify which policy is taken effect to users, lowest one is always wins, if there is same precedence in two PSO something would win.
2)      By default when users attempt to login, which policy will taken effect. If user is member of any PSO policy, the PSO will taken effect.
3)       PSO can be configure to User or Group , if there is conflict User PSO will taken effect.

Limitations:
FGPP is domain based
PSO cannot apply to OU, Universal Group and Domain Local.


If the PSO applied to Global Group, the policy will applied to user.


Somehow, the group scope converted to Universal, what would be the result?
The PSO ignored and default domain password policy will taken effect.
But PSO still remain the group, but it will not apply to users.
The PSO  does not support to Domain Local as well .










No comments:

Post a Comment