Before reading this post on how to configure FGPP, I would recommend you to read the following post:
Fined Grained Password Policy - Concept
http://www.adshotgyan.com/2010/12/fined-grained-password-policy-concept.html
Lets start with the lab on FGPP. FGPP can and has to be configured using ADSIEDIT.MSC Only.
FGPP consist of two Parts:
1. PSC - Password Setting Container
2. PSO - Password Setting Object
PSC: A container which contains PSO`s
PSO: An object that will contain all the settings of a Password Policy
By default, PSC is created by default in Domain Partition -> System -> Password Setting Container
By default, there is no PSO created. You have to create a PSO
Right click on PSC and create a PSO Object
Give a name to the new PSO that you are creating
All the settings that are required to create a PSO, are defined in the following Link:
http://technet.microsoft.com/en-us/library/cc754461(WS.10).aspx
msDS-PasswordSettingsPrecedence: You can create multiple PSO`s. A PSO has to be linked with a User or a Security Group. You can link multiple PSO`s with a User/Group. The question arises, in case I have linked multiple PSO`s to a User/Group, then which PSO will take effect. The answer lies in the value of
msDS-PasswordSettingsPrecedence defined in a PSO.
msDS-PasswordReversibleEncryptionEnabled : Password reversible encryption status for user accounts
msDS-PasswordHistoryLength : Password History Length for user accounts
msDS-PasswordComplexityEnabled : Password complexity status for user accounts
msDS-MinimumPasswordLength : Minimum Password Length for user accounts
msDS-MinimumPasswordAge : Minimum Password Age for user accounts
msDS-MaximumPasswordAge : Maximum Password Age for user accounts
msDS-LockoutThreshold : Lockout threshold for lockout of user accounts
msDS-LockoutObservationWindow : Observation Window for lockout of user accounts
msDS-LockoutDuration : Lockout duration for locked out user accounts
msDS-PSOAppliesTo : Links to objects that this password settings object applies to (User/Group)
ms-DS-Resultant-PSO : This displays the winning PSO that will get applied on this objects in case when we have multiple PSO configured which will hit this user directly or though a group which this user will be a member of
