Fine-Grained Password Policies concepts

This topic explains the Fine-Grained Password Policies (FGPP) concepts and best practices.

Overview

You can use Fine-Grained Password Policies (FGPP) to define and enforce strong password settings on a specific Active Directory user or group. Note that password policies are different from the default domain password policy which is configured by a group policy and linked to the root of the domain.

FGPPs are set in Password Settings Objects (PSO). Each PSO has a precedence value that indicates its priority. The lower this value, the higher the priority of that PSO. Managed Microsoft AD creates ten PSOs with default settings. You cannot change the names or precedences of these PSOs, but you can change the settings. Learn more about the pre-created PSOs.

Policy settings

Each PSO can contain the following policy settings.

Best practices

We recommend the following best practices for using FGPP.

Number of policies

You should use 3-5 different password policies in an organization to minimize management overhead. Usually, password policies are defined once and are not changed frequently.

Spacing of policies

Instead of using consecutive precedences, you should leave space between policies. This allows room for future changes as precedence affects the resultant policy applied to a user that is included in a group with multiple policies or nesting.

Scenario

In our example organization, we have the following three groups with differing password policy needs.

  • Managers: Most restrictive, highly secure
  • IT department: Medium
  • General: Least secure but easiest to use

Managers

The following password policy settings should be applied to the Managers. It is the most secure policy, so it should have the lowest precedence, PSO-10. The lower precedence helps ensure that if a manager is included in many groups the most restrictive policy applies to them.

PSO-10 policy settings
Complexity enabled True
Lockout duration 30 minutes
Lockout observation window 30 minutes
Lockout threshold 5
Maximum password age 30 days
Minimum password length 16
Password history count 24

Learn how to modify a policy to match these settings, and then add this group to this policy.

IT department

The following password policy settings should be applied to the IT department. Note that PSO-20 and PSO-30 are skipped, to allow for the addition of intermediary policies in the future.

PSO-40 policy settings
Complexity enabled True
Lockout duration 30 minutes
Lockout observation window 30 minutes
Lockout threshold 10
Maximum password age 60 days
Minimum password length 10
Password history count 10

Learn how to modify a policy to match these settings, and then add this group to this policy.

General

The following password policy settings should be applied to the General group.

PSO-80 policy settings
Complexity enabled True
Lockout duration 30 minutes
Lockout observation window 30 minutes
Lockout threshold 15
Maximum password age 90 days
Minimum password length 8
Password history count 10

Learn how to modify a policy to match these settings, and then add this group to this policy.