Skip to content

Step by Step : Configure and apply a Fine-Gained Password Policy in Windows Server 2012 R2

July 15, 2014

In the last many years, for those who experience play around with active directory, you might remember that AD was restricted with a single password policy per domain. Time goes on, Microsoft make decision to fine-grain the password policy so that you as a administrators could deploy more than one password policy within a single domain.

Those who attended my MCITP Server 2008 training, you all might remember that fine grained password policies configuration in windows server 2008 was not user friendly.

So, this time in Windows server 2012 R2, Microsoft has done a very good job, by adding user-friendly graphical user interface tool to deploy a fine-grained password policy.

If you still wondering what the h**k is this Fine-Grained Password Policy, i take example… lets say you working in large organisation with many levels of user and security, so it’s necessary to set different requirements for the password complexity and for the lockout policy.

Such as, the IT assistant may not require the same levels as the IT Engineers and HR department.

More information :

Ok, lets get started with our Step by Step…

1 – On the Domain Server (OSI-ADDS-01), open Server Manager, and then click Tools, open Active Directory Administrative Center


2 – Next, in the Active Directory Administrative Center, in the navigation pane, click osi (local), then double click HR OU

** please take few minutes to go through what you have in Active Directory Administrative Center.


3 – For this demo, i will use HR Department for PSO, next… double click HR OU to open, then right click HR_Group Managers and click Properties…


4 – In the HR_Group Managers interface, verify that under Group scope, Global button is selected, and then click OK…


5 – Next, in the Active Directory Administrative Center, browse to System container


6 – Next, in the details pane, right-click the Password Settings Container, click New, and then click Password Settings.



7 – Next, in the Create Password Settings interface, under password settings, you can set any configuration that you prefer and it also depending on your organization policy.

For example : 

a. Type HRManagerPSO in the Name box.
b. Type 10 in the precedence box.
c. Type 10 in the Minimum password length box.
d. Type 5 in the Number of passwords remembered box.
e. Type 30 in the User must change the password after (days) box.
f. Click Enforce account lockout policy.
g. Type 5 in the Number of failed logon attempts allowed box.
h. Type 10 in the Reset failed logon attempts count after(mins) box.
i. Click the Until an administrator manually unlocks the account option.


8 – last step, under Directly Applies To section, click Add… in the enter the object names to select , type
HR_Group Managers, and then click OK…





Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: