Solved

Do any guides exist to implement "fine grained password policy" on Windows Server 2008?

Posted on 2014-10-02
6
594 Views
Last Modified: 2014-10-21
My organization would like to implement Fine Grained Password Policy on its Domain Controllers.  I recently ran the command  New-ADFineGrainedPasswordPolicy in the Active Directory Powershell application. I received an error that I don't understand, and I can't find any explanation for it in the ADFineGrainedPasswordPolicy help.  The error is
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:1
+ New-ADFineGrainedPasswordPolicy -Name "TestUsersOU_PSO" -Precedence 500 -Complex ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons, Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

This error makes me think that I need to check on prerequisites, but I don't know what they are or how to verify their status?
0
Comment
Question by:frabus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 7

Accepted Solution

by:
George Simos earned 500 total points
ID: 40358319
Hi,

It appears to me that the powershell error you get denotes that the account you are using for this action is not delegated to do this action (New-ADFineGrainedPasswordPolicy), by default only members of the "Domain Admins"  group have this right, have you tried run your PowerShell as "Administrator" or "Run As"  a domain admin?

Here goes a list with sources to read for further proceed in your implementation, read the first one for the prerequisites:

Official Technet Help: AD DS: Fine-Grained Password Policies
0
 

Author Comment

by:frabus
ID: 40360313
Hi George,  Thanks for the suggestion.  The reported error was received when executing the command from a Windows 7 client machine equipped with the Administrative Tools pack.  I received the error even when I logged on to AD PowerShell as an administrator.  But your answer made me think that I should try opening the AD PowerShell as an administrator while logged on to the Doman Server.  I did that, and I got a different error to the same command:
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:32
+ New-ADFineGrainedPasswordPolicy <<<<  -Name "TestUsersOU_PSO" -Precedence 500 -ComplexityEnabled $true -Description "The Password Policy for members of Test UsersOU_Users" -DisplayName "TestUsersOU_PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 -MaxPasswordAge "0.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount24 -ReversibleEncryptionEnabled $false
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons,Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

It just so happens that the 32 character is the - before Name.  So I am suspicious that I need to do something prior to executing this command.  Any suggestions?
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40364929
Hello,

Please post the command you are typing in PowerShell so I can test it further.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 7

Expert Comment

by:George Simos
ID: 40364960
Hi again!

I saw the errors again and observed that the "MaxPasswordAge" flag is "0", this is not acceptable from ADS and you should change it to something higher (the default age in ADS is 42 days). The best practice is 90 days but this is adjusted according to your environment.
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40380754
Any progress with your issue yet?
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40395452
Hi Frabus,

Thanks for accepting my answer, would you mind sharing some details about the resolution of your issue please?

With regards
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question