Windows Fine Grained Password Policy

One of the great things that is introduced in Windows 2008 is the introduction of Fine Grained Password Policies.  What is FGP? With a Windows 2000/2003 domain, it has only been possible to have a single password policy that applied to everyone in your domain.  Most domains, though, do have some accounts that have higher privileges that they might want to have a stricter password policy for those specific accounts.  That is what FGP does is allow you to have different password policies for different users.  In our domain, we have an established policy requiring a stricter password policy (minimum 15 characters for length), but have never been able to enforce this policy.  FGP now allows us to enforce this policy.  (NOTE:  FGP can only be implemented when your domain functional level is at 2008 or later.)

So, how does this work?  Well, you need to create a Password Settings object (PSO) in the System container of the domain.  There are a couple of different ways to do so:

  • Powershell – Use a script to create and set the PSO.
  • Specops Password Policy Basic – Use a free GUI to create the PSO and verify that it is setup properly.

I chose to use Specops free utility to set this policy.  After installing the application, it is easy to open up the tool to change and view any policies.


The Specops tool also allows you to lookup the password policy for an individual user to verify that it is applied properly.


References – Specops Password Policy Basic information – AD DS Fine Grained Password Policy information