[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Do any guides exist to implement "fine grained password policy" on Windows Server 2008?

Posted on 2014-10-02
6
Medium Priority
?
701 Views
Last Modified: 2014-10-21
My organization would like to implement Fine Grained Password Policy on its Domain Controllers.  I recently ran the command  New-ADFineGrainedPasswordPolicy in the Active Directory Powershell application. I received an error that I don't understand, and I can't find any explanation for it in the ADFineGrainedPasswordPolicy help.  The error is
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:1
+ New-ADFineGrainedPasswordPolicy -Name "TestUsersOU_PSO" -Precedence 500 -Complex ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons, Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

This error makes me think that I need to check on prerequisites, but I don't know what they are or how to verify their status?
0
Comment
Question by:frabus
  • 5
6 Comments
 
LVL 7

Accepted Solution

by:
George Simos earned 2000 total points
ID: 40358319
Hi,

It appears to me that the powershell error you get denotes that the account you are using for this action is not delegated to do this action (New-ADFineGrainedPasswordPolicy), by default only members of the "Domain Admins"  group have this right, have you tried run your PowerShell as "Administrator" or "Run As"  a domain admin?

Here goes a list with sources to read for further proceed in your implementation, read the first one for the prerequisites:

Official Technet Help: AD DS: Fine-Grained Password Policies
0
 

Author Comment

by:frabus
ID: 40360313
Hi George,  Thanks for the suggestion.  The reported error was received when executing the command from a Windows 7 client machine equipped with the Administrative Tools pack.  I received the error even when I logged on to AD PowerShell as an administrator.  But your answer made me think that I should try opening the AD PowerShell as an administrator while logged on to the Doman Server.  I did that, and I got a different error to the same command:
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:32
+ New-ADFineGrainedPasswordPolicy <<<<  -Name "TestUsersOU_PSO" -Precedence 500 -ComplexityEnabled $true -Description "The Password Policy for members of Test UsersOU_Users" -DisplayName "TestUsersOU_PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 -MaxPasswordAge "0.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount24 -ReversibleEncryptionEnabled $false
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons,Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

It just so happens that the 32 character is the - before Name.  So I am suspicious that I need to do something prior to executing this command.  Any suggestions?
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40364929
Hello,

Please post the command you are typing in PowerShell so I can test it further.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 7

Expert Comment

by:George Simos
ID: 40364960
Hi again!

I saw the errors again and observed that the "MaxPasswordAge" flag is "0", this is not acceptable from ADS and you should change it to something higher (the default age in ADS is 42 days). The best practice is 90 days but this is adjusted according to your environment.
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40380754
Any progress with your issue yet?
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40395452
Hi Frabus,

Thanks for accepting my answer, would you mind sharing some details about the resolution of your issue please?

With regards
0

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question