Solved

Do any guides exist to implement "fine grained password policy" on Windows Server 2008?

Posted on 2014-10-02
6
559 Views
Last Modified: 2014-10-21
My organization would like to implement Fine Grained Password Policy on its Domain Controllers.  I recently ran the command  New-ADFineGrainedPasswordPolicy in the Active Directory Powershell application. I received an error that I don't understand, and I can't find any explanation for it in the ADFineGrainedPasswordPolicy help.  The error is
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:1
+ New-ADFineGrainedPasswordPolicy -Name "TestUsersOU_PSO" -Precedence 500 -Complex ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons, Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

This error makes me think that I need to check on prerequisites, but I don't know what they are or how to verify their status?
0
Comment
Question by:frabus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 7

Accepted Solution

by:
George Simos earned 500 total points
ID: 40358319
Hi,

It appears to me that the powershell error you get denotes that the account you are using for this action is not delegated to do this action (New-ADFineGrainedPasswordPolicy), by default only members of the "Domain Admins"  group have this right, have you tried run your PowerShell as "Administrator" or "Run As"  a domain admin?

Here goes a list with sources to read for further proceed in your implementation, read the first one for the prerequisites:

Official Technet Help: AD DS: Fine-Grained Password Policies
0
 

Author Comment

by:frabus
ID: 40360313
Hi George,  Thanks for the suggestion.  The reported error was received when executing the command from a Windows 7 client machine equipped with the Administrative Tools pack.  I received the error even when I logged on to AD PowerShell as an administrator.  But your answer made me think that I should try opening the AD PowerShell as an administrator while logged on to the Doman Server.  I did that, and I got a different error to the same command:
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:32
+ New-ADFineGrainedPasswordPolicy <<<<  -Name "TestUsersOU_PSO" -Precedence 500 -ComplexityEnabled $true -Description "The Password Policy for members of Test UsersOU_Users" -DisplayName "TestUsersOU_PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 -MaxPasswordAge "0.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount24 -ReversibleEncryptionEnabled $false
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons,Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

It just so happens that the 32 character is the - before Name.  So I am suspicious that I need to do something prior to executing this command.  Any suggestions?
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40364929
Hello,

Please post the command you are typing in PowerShell so I can test it further.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 7

Expert Comment

by:George Simos
ID: 40364960
Hi again!

I saw the errors again and observed that the "MaxPasswordAge" flag is "0", this is not acceptable from ADS and you should change it to something higher (the default age in ADS is 42 days). The best practice is 90 days but this is adjusted according to your environment.
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40380754
Any progress with your issue yet?
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40395452
Hi Frabus,

Thanks for accepting my answer, would you mind sharing some details about the resolution of your issue please?

With regards
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question