Configure fine-grained password policies

This page shows you how to use fine-grained password policies (FGPP) in Managed Service for Microsoft Active Directory.

To configure and manage FGPP in Managed Microsoft AD, you can use the standard Active Directory tools. For information about how to use the standard Active Directory tools in Managed Microsoft AD, see Manage Active Directory objects.

Delegate permissions to manage policies

By default, the delegated administrator account has the ability to manage policies in Managed Microsoft AD.

To delegate the ability to manage policies, you can add users to the Cloud Service Fine Grained Password Policy Administrators group. To add users to this group, run the following command in PowerShell.

Add-ADGroupMember -Identity 'Cloud Service Fine Grained Password Policy Administrators' \
  -Members USER_1,USER_2

Replace USER_1,USER_2 with the name of the users or groups for which you want to delegate permissions to manage the password policies. For example, myuser.

Learn more about Add-ADGroupMember.

Remove permissions to manage policies

To remove the ability to manage policies, you can remove the user from the Cloud Service Fine Grained Password Policy Administrators group. To remove users from this group, run the following command in PowerShell.

Remove-ADGroupMember -Identity 'Cloud Service Fine Grained Password Policy Administrators' \
  -Members USER_1,USER_2

Replace USER_1,USER_2 with the name of the users or groups for which you want to remove the permissions provided to manage the password policies. For example, myuser.

Learn more about Remove-ADGroupMember.

Modify a pre-created password policy

You can modify the policy settings of a FGPP. You can decide which policy settings you want to modify and use only the required properties in the following command.

To modify a pre-created password policy, run the following command in PowerShell.

Set-ADFineGrainedPasswordPolicy -Identity PSO -LockoutThreshold THRESHOLD -LockoutDuration DURATION_TIME \
   -LockoutObservationWindow OBSERVATION_TIME -ComplexityEnabled COMPLEXITY_BOOLEAN \
   -ReversibleEncryptionEnabled ENCRYPTION_BOOLEAN -MinPasswordLength LENGTH \
   -MaxPasswordAge PASSWORD_AGE -PasswordHistoryCount PASSWORD_COUNT

Replace the following:

  • PSO: Name of the PSO for which you want to modify the policy settings. For example, PSO-10.

  • THRESHOLD: Specify the number of failed login attempts after which a user must be locked.

  • DURATION_TIME: Specify the length of time for which a user must be locked after the specified number of failed login attempts.

  • OBSERVATION_TIME: Specify the length of time during which a user must reach the threshold for failed login attempts to get the user locked.

  • COMPLEXITY_BOOLEAN: Specify whether password complexity must be enabled for the password policy.

  • ENCRYPTION_BOOLEAN: Specify whether the passwords must be stored using reversible encryption.

  • LENGTH: Specify the minimum number of characters that the passwords must have.

  • PASSWORD_AGE: Specify the length of time that a user can have the same password. A user must change the password after this time period.

  • PASSWORD_COUNT: Specify the number of previous passwords to save in a user's password history. A user cannot reuse a password saved in their password history.

Learn more about Set-ADFineGrainedPasswordPolicy.

Add a user or group to a password policy

Add a user or group to a password policy to enforce the FGPP.

To apply a password policy to a user or group, run the following command in PowerShell.

Add-ADFineGrainedPasswordPolicySubject PSO -Subjects USER_1,USER_2

Replace the following:

  • PSO: Name of the password setting object (PSO) to which you want to add the user or group. For example, PSO-10.

  • USER_1,USER_2: Name of the users or groups for which you want to enforce the FGPP. For example, myuser.

Learn more about Add-ADFineGrainedPasswordPolicySubject.

Check which password policy applies to a user

You can apply several password policies to a user or a group. The policy with the lowest precedence setting is the effective policy. For information about the precedence settings of PSOs, see Password settings objects.

To see the effective policy on a user, run the following command in PowerShell.

Get-ADUserResultantPasswordPolicy -Identity USER

Replace USER with the name of the user for which you want to check the password policies applied. For example, myuser.

Learn more about Get-ADUserResultantPasswordPolicy.

Remove a user or group from a password policy

Remove a user or group from a password policy to stop enforcing the FGPP.

To remove a user or group from a password policy, run the following command in PowerShell.

Remove-ADFineGrainedPasswordPolicySubject PSO -Subjects USER_1,USER_2

Replace the following:

  • PSO: Name of the PSO from which you want to remove the user or group. For example, PSO-10.

  • USER_1,USER_2: Name of the users or groups for which you want to stop enforcing the FGPP. For example, myuser.

Learn more about Remove-ADFineGrainedPasswordPolicySubject.

Unlock a user

Active Directory suspends or locks access for a user when the number of incorrect password entries exceeds the maximum number allowed by the password policy.

To unlock a user, run the following PowerShell command. Note that you must be a member of the Cloud Service All Administrators group.

Unlock-ADAccount -Identity USER

Replace USER with the name of the user who you want to unlock. For example, myuser.

Learn more about Unlock-ADAccount.

The user is automatically unlocked after the lockout duration configured in the password policy.