WinSecWiki > Security Settings > Account Policies > Password Policy > Password Settings Object
Password Settings Object: Fine Grained Password (and Lockout) Policy
Fine Grained Password (and Lockout) Policy
Windows Server 2008 Active Directory introduces a new feature called fine grained password policy - which also includes lockout policy.
With this new feature you can for the first type apply different password and lockout policies to different users within the same domain. Prior to this you had one policy for the whole domain, see Account Policies Explained.
Microsoft didn't do this the way I would have which would have simply been to implement it via group policy and allow you to configure different password policies at the organizational unit level.
Anyway, the way it works is you create a new object called a Password Settings Object (PSO). In the PSO you set the same maximum password age, complexity requirements, lockout thresholds, etc that you find under Account Policy in a GPO.
Then you link that PSO to individual users (bad admin!) or to groups (that's it). Note that you have to use groups where the group scope is Global (not Local or Universal) and group type is Security (not Distribution). All members of the group inherit the password and lockout policy defined in the PSO linked to that group.
It's possible for a user to end up with more than one applicable PSO to Windows arbitrates between them based on the msDS-PasswordSettingsPrecedence attribute of each PSO - the lower the value the higher the rank. And PSOs linked directly to a user (bad admin!) take precedence over PSOs assigned through group membership.
Figuring Out If Any PSOs Have Been Defined
Maybe you are conducting an audit and you just need to find out if any fine grained password policies have been defined. Here's what you do. Open Active Directory Users and Computers. Select View\Advanced Features. Then double click the Policies container and then the Password Settings Container. If the container is empty, there are no PSOs defined.
Configuring PSOs
Check out New-ADFineGrainedPasswordPolicy and related cmdlets in PowerShell.
Displaying a Given User's Resultant Password Policy
Use this command line: dsget user -effectivepso
Back to top