This topic shows you how to use Fine-Grained Password Policies (FGPP).
Adding a user or group to a password policy
To apply a password policy to a user or group, run the following command in PowerShell.
Add-ADFineGrainedPasswordPolicySubject PSO -Subjects USER_1,USER_2
Learn more aboutAdd-ADFineGrainedPasswordPolicySubject
.
Removing a user or group from a password policy
To remove a user or group from a password policy, run the following command in PowerShell.
Remove-ADFineGrainedPasswordPolicySubject PSO -Subjects USER_1,USER_2
Learn more aboutRemove-ADFineGrainedPasswordPolicySubject
.
Checking which password policy applies to a user
Several password policies can be applied to a user or a group. The policy with the lowest precedence setting is the effective policy.
To see the effective policy on a user, run the following command in PowerShell.
Get-ADUserResultantPasswordPolicy -Identity USER
Learn more aboutGet-ADUserResultantPasswordPolicy
.
Modifying pre-created Password Policy
To modify a pre-created password policy, run the following command in PowerShell.
Set-ADFineGrainedPasswordPolicy -Identity PSO -LockoutDuration DURATION_TIME \ -LockoutObservationWindow OBSERVATION_TIME -ComplexityEnabled COMPLEXITY_BOOLEAN \ -ReversibleEncryptionEnabled ENCRYPTION_BOOLEAN -MinPasswordLength LENGTH
Learn more aboutSet-ADFineGrainedPasswordPolicy
.
Delegating permissions to manage policies
To delegate the ability to manage policies, you can add the user to the Cloud Service Fine Grained Password Policy Administrators group. To add users to this group, run the following command in PowerShell.
Add-ADGroupMember -Identity 'Cloud Service Fine Grained Password Policy Administrators' \ -Members USER_1,USER_2
Learn more about Learn more aboutAdd-ADGroupMember
.
Removing permissions to manage policies
To remove the ability to manage policies, you can remove the user to the Cloud Service Fine Grained Password Policy Administrators group. To add users to this group, run the following command in PowerShell.
Remove-ADGroupMember -Identity 'Cloud Service Fine Grained Password Policy Administrators' \ -Members USER_1,USER_2
Learn more about Remove-ADGroupMember
.
Unlocking a user
To unlock a user who is currently locked out, run the following PowerShell command. Note that you must be a member of the Cloud Service All Administrators group.
Unlock-ADAccount -Identity USER_1
Learn more about Unlock-ADAccount
.
The user is automatically unlocked after the lockout duration on their policy.