About Fine-Grained Password Policies

This topic explains the Fine-Grained Password Policies (FGPP) concepts and best practices.

Overview

You can use Fine-Grained Password Policies (FGPP) to define and enforce strong password settings on a specific Active Directory user or group. Note that password policies are different from the default domain password policy which is configured by a group policy and linked to the root of the domain.

FGPPs are set in Password Settings Objects (PSO). Each PSO has a precedence value that indicates its priority. The lower this value, the higher the priority of that PSO. Managed Microsoft AD creates ten PSOs with default settings. You cannot change the names or precedences of these PSOs, but you can change the settings. Learn more about the pre-created PSOs.

Policy settings

Each PSO can contain the following policy settings.

• Complexity enabled

• Lockout duration

• Lockout observation window

• Lockout threshold

• Maximum password age

• Minimum password length

• Password history count

• Reversible encryption enabled