Active Directory management & automation

Manage Fine-Grained Password Policies

Starting from Windows Server 2008 onwards, it is possible to define different password and account lockout policies for different sets of users in Active Directory. In Windows Server 2000 and Windows Server 2003 Active Directory domains, only one password policy and account lockout policy can be applied to all users in the domain.

To view or raise the domain functional level:
  • launch Adaxes Administration Console,
  • right-click the domain you need,
  • point to All Tasks,
  • click Raise Domain Functional Level.

Fine-grained password policies enable you to define multiple password and account lockout policies within a domain. This capability allows you to apply different levels of security to different users and groups. For example, you can apply strict policies to privileged users (such as administrators and help desk personnel) and less severe policies to other users.

In this tutorial, you will learn how to configure and manage Fine-Grained Password Policies using Adaxes.

1Launch Adaxes Administration Console, right-click the domain, for which you want to configure fine-grained password policies, point to All Tasks, and select Configure Password Policies from the context menu.

Launch the Configure Password Policies dialog

2 The Password Policies dialog displays an overview of the password policies currently defined in the domain.

The Password Policies dialog

Using this dialog, you can also view and modify the Default Domain Password Policy that is normally configured in the Default Domain Policy GPO.

3 To define a new password policy:

  • Click the New button located under the Password policies list.
  • In the New Password Policy dialog that opens, type a name for the new password policy and specify necessary password and account lockout settings.
  • Click OK.

Add new Password Policy

  • Click the Add button located under the Applies to list to apply the new password policy to users and groups you need.
  • Select the users and groups you need.
  • Click OK.

Assign the new password policy

Fine-grained password policies can be applied to global security groups, users and InetOrgPersons only.

4 To change the precedence order of a password policy, select this policy in the Password policies list and use Move Up and Move Down buttons.

Change the precedence order

If two or more password policies are applied to one and the same user, this user will be affected by the password policy with a higher precedence.

5 To view all users affected by a password policy, select the password policy you need and click the Show All Affected Users button located under the Applies to list.

View users affected by a password policy

If the Affected Users dialog doesn't display some users the selected password policy applies to, it means that they are affected by another password policy with a higher precedence.

6 To view the password policy effective for a specific user, click Lookup Policy for User. In the Select User dialog, select the user you need and click OK. The password policy effective for the selected user will be highlighted.

view the password policy effective for a specific user

Alternatively, to view the password policy effective for a user (not using the Password Policies dialog), do the following:

  • Right-click the user you need and click Properties.
  • Select the Account tab.
  • In the Password section, click Password Policy.

The View Password Policy dialog will display Password Policy restrictions effective for the selected user.

view the password policy effective for a specific user using the Properties dialog

? Waiting

Progress status: Checking...