Link to home
Get AccessLog in
Avatar of Ergs
Ergs

asked on

Server 2012 Password Policy

Hi There.....

I look after a server in our Melbourne office (Windows 2012 Server), it is mainly accessed by RDP clients from around Asia Pacific.

The business is owned by a US company and they want me to implement password policies:

•	10 Characters
•	Complexity (3 of 4) Upper/Lower/Spec/Symbol
•	Not part of the username
•	No dictionary words
•	Changed min of every 90 days/max 1 in 24 hours
•	Locked after 5 for 1 hour
•	Cannot be the same a 5 previous

First I used "Group Policy Management Editor" and changed settings below:
User generated image
I tested a user account and sure enough it asked to change password and seemed to work. I was a little worries about using GPO and Default Domain Policy to do this as I have application accounts which I do not want GPO to apply too. One of our apps run with escalated privileges and I have created an account for this app and do not want to change password for it.

While I was googling around I realized I can use a thing called "Fine-Grained Password Policy" - Seemed like a greta little solution so I undid the changes to GPO

Fine Grained didn't seem to work, I created a Global Security group and added a couple of users to it and applied the following settings to that group:
User generated image
By this stage I was getting a bit confused and wanted to start again, so I deleted the Password setting container and made sure no setting existed in GPO:
User generated image
When I now go in to AD and select a user and make them change their password on next logon it still applies password complexity, not sure where it's getting this from? I have run "gpresult /Z" from the user account and definitely nothing about password settings!!! grrrr!

what is the best way for me to do this on Windows Server 2012? basically want to apply the rules above only to users, basically excluding 1 or 2 accounts which will be used as a service account for applications to use to run in elevated mode.
SOLUTION
Avatar of Patrick Bogers
Patrick Bogers
Flag of Netherlands image

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
ASKER CERTIFIED SOLUTION
Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
Avatar of Ergs
Ergs

ASKER

Thanks for the info Will..... where do I enter the commands? (tried command prompt & power shell)
Powershell..
You need you import the module first for active directory.

Import-module activedirectory

Then run the above commands.

Will.
What is still left unsaid is that if you are really trying to disallow dictionary words, then all built-in policies fail. Microsoft has not implemented this. Think of a pw "ScoobyDoo1" - this is weak but not stopped by any of your settings!

So as usual I recommend the software password policy enforcer by anixis. Simple and worth the money.