[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Server 2008 Granular Password Policy Issue

Posted on 2009-04-29
Medium Priority
Last Modified: 2012-05-06
I'm trying to set up a PSO that uses a separate set of password policies for certain users with higher security requirements.  I've followed the guide for doing this found here:  http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html

My environment contains 2 Windows Server 2003 DCs that share the FSMO roles, and another Windows Server 2008 DC that has the Global Catalog.  One of the Server 2003 (the Domain Naming and Schema Master) DCs is also a Global Catalog server.

I have created a PSO with the settings I want and applied it to the Group I want it to effect.  I confirmed that the group has the msDS-PSOApplied setting set pointing to my PSO as well as confirmed that the msDS-PSOAppliesTo setting on the PSO itself contains my group.  I also added a specific user account to the msDS-PSOAppliesTo setting and it still does not work.

When I log in as a user who is supposed to be getting these settings, I am still allowed to change my password to something with only 4 chars (minimum is 8 on my PSO).

Does anybody have any idea why this might not be working?  Thank you.

Question by:usom
  • 2
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 24263824
You have to be at Windows 2008 Domain Functional Level for fine grained passwords to work
For the fine-grained password and account lockout policies to function properly in a given domain, the domain functional level of that domain must be set to Windows Server 2008.  

Author Comment

ID: 24264299
Ahhh!  I should have caught that.  I suppose there is no mixed mode that allows Server 2003 DCs?
LVL 57

Expert Comment

by:Mike Kline
ID: 24265005
Not for fine-grained passwords, but you are almost there.  
Just a few more DCs to go and you will be at W2K8 DFL...way ahead of many places.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question