WinSecWiki > Security Settings > Account Policies > Password Policy > Password Settings Object

Password Settings Object: Fine Grained Password (and Lockout) Policy

Fine Grained Password (and Lockout) Policy

Windows Server 2008 Active Directory introduces a new feature called fine grained password policy - which also includes lockout policy.

With this new feature you can for the first type apply different password and lockout policies to different users within the same domain. Prior to this you had one policy for the whole domain, see Account Policies Explained.

Microsoft didn't do this the way I would have which would have simply been to implement it via group policy and allow you to configure different password policies at the organizational unit level.

Anyway, the way it works is you create a new object called a Password Settings Object (PSO). In the PSO you set the same maximum password age, complexity requirements, lockout thresholds, etc that you find under Account Policy in a GPO.

Then you link that PSO to individual users (bad admin!) or to groups (that's it). Note that you have to use groups where the group scope is Global (not Local or Universal) and group type is Security (not Distribution). All members of the group inherit the password and lockout policy defined in the PSO linked to that group.

It's possible for a user to end up with more than one applicable PSO to Windows arbitrates between them based on the msDS-PasswordSettingsPrecedence attribute of each PSO - the lower the value the higher the rank. And PSOs linked directly to a user (bad admin!) take precedence over PSOs assigned through group membership.

Figuring Out If Any PSOs Have Been Defined

Maybe you are conducting an audit and you just need to find out if any fine grained password policies have been defined. Here's what you do. Open Active Directory Users and Computers. Select View\Advanced Features. Then double click the Policies container and then the Password Settings Container. If the container is empty, there are no PSOs defined.

Configuring PSOs

Check out New-ADFineGrainedPasswordPolicy and related cmdlets in PowerShell.

Displaying a Given User's Resultant Password Policy

Use this command line: dsget user -effectivepso

Back to top


Additional Resources