Fine Grained password policy will not allow groups to be assigned to it.

Hey Guys,

I set up a password policy in Active directory.  Our domain is native 2012 r2 functional level.

I can assign users to the policy under the "Directly Applies TO" section.

However, I cannot apply it to a group.  I get an error that the group object cannot be found even though it does.  When I enter a partial name, it only lists user objects even though user and group objects are both checked.  I have tried from the root of the directory as well as the container that the group is located in.

Has anyone else seen this behavior and know what the fix is?
horsemenlAsked:
Who is Participating?
 
horsemenlAuthor Commented:
I found the resolution.

Our groups are Universal and you can only apply FGPP to Global groups.  I changed the group to Global and then was able to apply it normally.
0
 
horsemenlAuthor Commented:
A quick update.

What is weird is that I can go to the Password Settings Container under Active Directory Users and Computers and add the DN of the group under the attribute msDS-PSOAppliesTo.

Does anyone else see groups when trying to apply the password policy under the Active Directory Administrative Center?
0
 
horsemenlAuthor Commented:
Another update:

Even though I added the group to the msD-PSOAppliesTo attribute, it does not work.  It only works on individual users, so my initial issue is still in play.
0
 
horsemenlAuthor Commented:
I have included a screenshot of the error

Screenshot of the error
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.