Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Do any guides exist to implement "fine grained password policy" on Windows Server 2008?

Posted on 2014-10-02
6
Medium Priority
?
666 Views
Last Modified: 2014-10-21
My organization would like to implement Fine Grained Password Policy on its Domain Controllers.  I recently ran the command  New-ADFineGrainedPasswordPolicy in the Active Directory Powershell application. I received an error that I don't understand, and I can't find any explanation for it in the ADFineGrainedPasswordPolicy help.  The error is
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:1
+ New-ADFineGrainedPasswordPolicy -Name "TestUsersOU_PSO" -Precedence 500 -Complex ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons, Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

This error makes me think that I need to check on prerequisites, but I don't know what they are or how to verify their status?
0
Comment
Question by:frabus
  • 5
6 Comments
 
LVL 7

Accepted Solution

by:
George Simos earned 2000 total points
ID: 40358319
Hi,

It appears to me that the powershell error you get denotes that the account you are using for this action is not delegated to do this action (New-ADFineGrainedPasswordPolicy), by default only members of the "Domain Admins"  group have this right, have you tried run your PowerShell as "Administrator" or "Run As"  a domain admin?

Here goes a list with sources to read for further proceed in your implementation, read the first one for the prerequisites:

Official Technet Help: AD DS: Fine-Grained Password Policies
0
 

Author Comment

by:frabus
ID: 40360313
Hi George,  Thanks for the suggestion.  The reported error was received when executing the command from a Windows 7 client machine equipped with the Administrative Tools pack.  I received the error even when I logged on to AD PowerShell as an administrator.  But your answer made me think that I should try opening the AD PowerShell as an administrator while logged on to the Doman Server.  I did that, and I got a different error to the same command:
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:32
+ New-ADFineGrainedPasswordPolicy <<<<  -Name "TestUsersOU_PSO" -Precedence 500 -ComplexityEnabled $true -Description "The Password Policy for members of Test UsersOU_Users" -DisplayName "TestUsersOU_PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 -MaxPasswordAge "0.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount24 -ReversibleEncryptionEnabled $false
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons,Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

It just so happens that the 32 character is the - before Name.  So I am suspicious that I need to do something prior to executing this command.  Any suggestions?
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40364929
Hello,

Please post the command you are typing in PowerShell so I can test it further.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 7

Expert Comment

by:George Simos
ID: 40364960
Hi again!

I saw the errors again and observed that the "MaxPasswordAge" flag is "0", this is not acceptable from ADS and you should change it to something higher (the default age in ADS is 42 days). The best practice is 90 days but this is adjusted according to your environment.
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40380754
Any progress with your issue yet?
0
 
LVL 7

Expert Comment

by:George Simos
ID: 40395452
Hi Frabus,

Thanks for accepting my answer, would you mind sharing some details about the resolution of your issue please?

With regards
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
Suggested Courses

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question