Using Fine-Grained Password Policies

This topic shows you how to use Fine-Grained Password Policies (FGPP).

Adding a user or group to a password policy

To apply a password policy to a user or group, run the following command in PowerShell.

Add-ADFineGrainedPasswordPolicySubject PSO -Subjects USER_1,USER_2

Learn more aboutAdd-ADFineGrainedPasswordPolicySubject.

Removing a user or group from a password policy

To remove a user or group from a password policy, run the following command in PowerShell.

Remove-ADFineGrainedPasswordPolicySubject PSO -Subjects USER_1,USER_2

Learn more aboutRemove-ADFineGrainedPasswordPolicySubject.

Checking which password policy applies to a user

Several password policies can be applied to a user or a group. The policy with the lowest precedence setting is the effective policy.

To see the effective policy on a user, run the following command in PowerShell.

Get-ADUserResultantPasswordPolicy -Identity USER

Learn more aboutGet-ADUserResultantPasswordPolicy.

Modifying pre-created Password Policy

To modify a pre-created password policy, run the following command in PowerShell.

Set-ADFineGrainedPasswordPolicy -Identity PSO -LockoutDuration DURATION_TIME \
   -LockoutObservationWindow OBSERVATION_TIME -ComplexityEnabled COMPLEXITY_BOOLEAN \
   -ReversibleEncryptionEnabled ENCRYPTION_BOOLEAN -MinPasswordLength LENGTH

Learn more aboutSet-ADFineGrainedPasswordPolicy.

Delegating permissions to manage policies

To delegate the ability to manage policies, you can add the user to the Cloud Service Fine Grained Password Policy Administrators group. To add users to this group, run the following command in PowerShell.

Add-ADGroupMember -Identity 'Cloud Service Fine Grained Password Policy Administrators' \
  -Members USER_1,USER_2

Learn more about Learn more aboutAdd-ADGroupMember.

Removing permissions to manage policies

To remove the ability to manage policies, you can remove the user to the Cloud Service Fine Grained Password Policy Administrators group. To add users to this group, run the following command in PowerShell.

Remove-ADGroupMember -Identity 'Cloud Service Fine Grained Password Policy Administrators' \
  -Members USER_1,USER_2

Learn more about Remove-ADGroupMember.

Unlocking a user

To unlock a user who is currently locked out, run the following PowerShell command. Note that you must be a member of the Cloud Service All Administrators group.

Unlock-ADAccount -Identity USER_1

Learn more about Unlock-ADAccount.

The user is automatically unlocked after the lockout duration on their policy.