04 December, 2010

How to Configure Fine Grained Password Policy (FGPP)

Fine Grained Password Policy (FGPP)

Before reading this post on how to configure FGPP, I would recommend you to read the following post:

Fined Grained Password Policy - Concept

Lets start with the lab on FGPP. FGPP can and has to be configured using ADSIEDIT.MSC Only.

FGPP consist of two Parts:
1. PSC - Password Setting Container
2. PSO - Password Setting Object

PSC: A container which contains PSO`s
PSO: An object that will contain all the settings of a Password Policy

By default, PSC is created by default in Domain Partition -> System -> Password Setting Container
By default, there is no PSO created. You have to create a PSO

Right click on PSC and create a PSO Object

Give a name to the new PSO that you are creating

All the settings that are required to create a PSO, are defined in the following Link:

msDS-PasswordSettingsPrecedence: You can create multiple PSO`s. A PSO has to be linked with a User or a Security Group. You can link multiple PSO`s with a User/Group. The question arises, in case I have linked multiple PSO`s to a User/Group, then which PSO will take effect. The answer lies in the value of
msDS-PasswordSettingsPrecedence defined in a PSO.

msDS-PasswordReversibleEncryptionEnabled : Password reversible encryption status for user accounts

msDS-PasswordHistoryLength : Password History Length for user accounts

msDS-PasswordComplexityEnabled : Password complexity status for user accounts

msDS-MinimumPasswordLength : Minimum Password Length for user accounts

msDS-MinimumPasswordAge : Minimum Password Age for user accounts

msDS-MaximumPasswordAge : Maximum Password Age for user accounts

msDS-LockoutThreshold : Lockout threshold for lockout of user accounts

msDS-LockoutObservationWindow : Observation Window for lockout of user accounts

msDS-LockoutDuration : Lockout duration for locked out user accounts

msDS-PSOAppliesTo : Links to objects that this password settings object applies to (User/Group)

ms-DS-Resultant-PSO : This displays the winning PSO that will get applied on this objects in case when we have multiple PSO configured which will hit this user directly or though a group which this user will be a member of