Avatar of Ergs
Ergs asked on

Server 2012 Password Policy

Hi There.....

I look after a server in our Melbourne office (Windows 2012 Server), it is mainly accessed by RDP clients from around Asia Pacific.

The business is owned by a US company and they want me to implement password policies:

•	10 Characters
•	Complexity (3 of 4) Upper/Lower/Spec/Symbol
•	Not part of the username
•	No dictionary words
•	Changed min of every 90 days/max 1 in 24 hours
•	Locked after 5 for 1 hour
•	Cannot be the same a 5 previous

First I used "Group Policy Management Editor" and changed settings below:
GPO Password settings
I tested a user account and sure enough it asked to change password and seemed to work. I was a little worries about using GPO and Default Domain Policy to do this as I have application accounts which I do not want GPO to apply too. One of our apps run with escalated privileges and I have created an account for this app and do not want to change password for it.

While I was googling around I realized I can use a thing called "Fine-Grained Password Policy" - Seemed like a greta little solution so I undid the changes to GPO

Fine Grained didn't seem to work, I created a Global Security group and added a couple of users to it and applied the following settings to that group:
AD Password Setting Container
By this stage I was getting a bit confused and wanted to start again, so I deleted the Password setting container and made sure no setting existed in GPO:
Blank GPO
When I now go in to AD and select a user and make them change their password on next logon it still applies password complexity, not sure where it's getting this from? I have run "gpresult /Z" from the user account and definitely nothing about password settings!!! grrrr!

what is the best way for me to do this on Windows Server 2012? basically want to apply the rules above only to users, basically excluding 1 or 2 accounts which will be used as a service account for applications to use to run in elevated mode.
Microsoft Legacy OSMicrosoft Server OSActive Directory

Avatar of undefined
Last Comment
McKnife

8/22/2022 - Mon
SOLUTION
Patrick Bogers

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER CERTIFIED SOLUTION
Will Szymkowski

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
Ergs

Thanks for the info Will..... where do I enter the commands? (tried command prompt & power shell)
Will Szymkowski

Powershell..
You need you import the module first for active directory.

Import-module activedirectory

Then run the above commands.

Will.
McKnife

What is still left unsaid is that if you are really trying to disallow dictionary words, then all built-in policies fail. Microsoft has not implemented this. Think of a pw "ScoobyDoo1" - this is weak but not stopped by any of your settings!

So as usual I recommend the software password policy enforcer by anixis. Simple and worth the money.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23