Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Server 2012 Password Policy

Avatar of Ergs
Ergs asked on
Active DirectoryMicrosoft Legacy OSMicrosoft Server OS
5 Comments1 Solution1239 ViewsLast Modified:
Hi There.....

I look after a server in our Melbourne office (Windows 2012 Server), it is mainly accessed by RDP clients from around Asia Pacific.

The business is owned by a US company and they want me to implement password policies:

•	10 Characters
•	Complexity (3 of 4) Upper/Lower/Spec/Symbol
•	Not part of the username
•	No dictionary words
•	Changed min of every 90 days/max 1 in 24 hours
•	Locked after 5 for 1 hour
•	Cannot be the same a 5 previous

First I used "Group Policy Management Editor" and changed settings below:
GPO Password settings
I tested a user account and sure enough it asked to change password and seemed to work. I was a little worries about using GPO and Default Domain Policy to do this as I have application accounts which I do not want GPO to apply too. One of our apps run with escalated privileges and I have created an account for this app and do not want to change password for it.

While I was googling around I realized I can use a thing called "Fine-Grained Password Policy" - Seemed like a greta little solution so I undid the changes to GPO

Fine Grained didn't seem to work, I created a Global Security group and added a couple of users to it and applied the following settings to that group:
AD Password Setting Container
By this stage I was getting a bit confused and wanted to start again, so I deleted the Password setting container and made sure no setting existed in GPO:
Blank GPO
When I now go in to AD and select a user and make them change their password on next logon it still applies password complexity, not sure where it's getting this from? I have run "gpresult /Z" from the user account and definitely nothing about password settings!!! grrrr!

what is the best way for me to do this on Windows Server 2012? basically want to apply the rules above only to users, basically excluding 1 or 2 accounts which will be used as a service account for applications to use to run in elevated mode.