Configure Fine-Grained Password Policies for Specific Users in Active Directory.
In this article, we’ll talk about account password policies and how we configure them for the entire domain with a more granular approach to password policies for each user without using Group Policy.
So first of all, let’s talk about configuring Group Policy based on password complexity and requirements.
The downside to Group Policy settings is that they are not very granular; it applies to OU containers and computer objects.
To change account policies using Group Policy, go to any domain controller in your organization, open the Group Policy Management Console (gpmc.msc), go to Security Options, then Account Policies, and then Password Policies.
But, as I said earlier, these settings apply to computer objects and are therefore not very detailed. We don’t want to make an organization-wide change for just one user who might need a weaker password and who somehow managed to get approval from the organization’s CIO.
Configure exact passwords policies in AD
For this scenario, we will use the Active Directory Administrative Center located in Server Manager under Tools.
Before we dive into the actual PSO (Password Setting Object) configuration, we must first add another node to manage in the console.
Right-click an empty area under the global search and select Add Navigation Nodes.
Then go to the System, Password Settings Container and click Add.
When you return to Central Administration, you will see that a new management node has been added. Click on it and go to “New”, “Password Settings”.
This will open the next Create Password Settings screen.
For testing purposes, we’ll leave all the default values, give the name PSO (Test), and then choose who we want to apply this PSO to.
So, after going to Add and selecting user Todd Smith, I see that this PSO applies and applies only to that user, regardless of OU location, GPO, etc. Don’t forget to set the Priority to 1, which is is the highest value that takes precedence over all other settings.
That’s all! Very simple and very cool. This way, we can assign specific password policies to users without creating complex GPOs, OU structures, etc. Enjoy!