[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Server 2012 Password Policy

Posted on 2014-01-11
Medium Priority
Last Modified: 2014-01-16
Hi There.....

I look after a server in our Melbourne office (Windows 2012 Server), it is mainly accessed by RDP clients from around Asia Pacific.

The business is owned by a US company and they want me to implement password policies:

•	10 Characters
•	Complexity (3 of 4) Upper/Lower/Spec/Symbol
•	Not part of the username
•	No dictionary words
•	Changed min of every 90 days/max 1 in 24 hours
•	Locked after 5 for 1 hour
•	Cannot be the same a 5 previous

First I used "Group Policy Management Editor" and changed settings below:
GPO Password settings
I tested a user account and sure enough it asked to change password and seemed to work. I was a little worries about using GPO and Default Domain Policy to do this as I have application accounts which I do not want GPO to apply too. One of our apps run with escalated privileges and I have created an account for this app and do not want to change password for it.

While I was googling around I realized I can use a thing called "Fine-Grained Password Policy" - Seemed like a greta little solution so I undid the changes to GPO

Fine Grained didn't seem to work, I created a Global Security group and added a couple of users to it and applied the following settings to that group:
AD Password Setting Container
By this stage I was getting a bit confused and wanted to start again, so I deleted the Password setting container and made sure no setting existed in GPO:
Blank GPO
When I now go in to AD and select a user and make them change their password on next logon it still applies password complexity, not sure where it's getting this from? I have run "gpresult /Z" from the user account and definitely nothing about password settings!!! grrrr!

what is the best way for me to do this on Windows Server 2012? basically want to apply the rules above only to users, basically excluding 1 or 2 accounts which will be used as a service account for applications to use to run in elevated mode.
Question by:Ergs
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 23

Assisted Solution

by:Patrick Bogers
Patrick Bogers earned 750 total points
ID: 39774595

As a good design i would have seperate OU's for workstations, laptops and servers.
This way you could write the GPO, bind it to the workstations OU and it would only affect users on these workstations, the apps you want unchanged (which you can do in AD by setting the option password never expires) can live in the e.g. servers OU.

That workstation recognize gpresults doesnt tell you the Local Security Policy is changed, by running GPUPDATE /FORCE you update local policy with group policy but still you can check the local security policy on the workstation.

Hope this helps.
LVL 53

Accepted Solution

Will Szymkowski earned 750 total points
ID: 39774625
When you are working with Password policies you only need to use Fine Grainded Password Policies when you want to have multiple "different" password policies. If the new policy is being set for the entire domain, i would suggest that you modify the "Default Domain Policy" and apply it to the objects in AD.

As for your "service accounts" within Active Directory I would have all of these accounts in a particular OU called Special Accounts or Services Accounts (something meaningful) and from there you can Either do 2 of the following things, Blocked Inheritance or Set all accounts in the OU to have Password not Expire. Personally I would just set all of the services accounts to not expire and they will not be affected by the password expire policy of the Default Domain Policy.

For your current Fine Grained Password Policy you can use the following commands to get find and remove the current policies...

Find Fine Grained Password Policies (displays all FGPP)
Get-ADFindGrainedPasswordPolicy -Filter *

Open in new window

Remove Find Grained Password Policies (remove all or some password policies)
Remove-ADFindGrainedPasswordPolicy -Identity <distinguished name>

Open in new window

With that said, once you have removed the FGPP I would set the new policy at the default domain level.


Author Comment

ID: 39775406
Thanks for the info Will..... where do I enter the commands? (tried command prompt & power shell)
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39775454
You need you import the module first for active directory.

Import-module activedirectory

Then run the above commands.

LVL 56

Expert Comment

ID: 39777640
What is still left unsaid is that if you are really trying to disallow dictionary words, then all built-in policies fail. Microsoft has not implemented this. Think of a pw "ScoobyDoo1" - this is weak but not stopped by any of your settings!

So as usual I recommend the software password policy enforcer by anixis. Simple and worth the money.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question