Another new feature in Windows Server 2008 Active Directory Domain Services is that (at long last) it’s now possible to apply multiple password policies within a single domain using a new feature called fine grained password policies. Now PINs can be used for mobile device access and complex passwords for conventional form factor devices without requiring separate domains, third party software or writing a custom password filter DLL.
The fine grained password policies are user and group based (i.e. not per-OU – in order to avoid extra domain load during login) and multiple policies can be applied; however, the new functionality involves a complex administrative process and there is no GUI yet (although the password settings container can be found if Advanced Features are enabled in Active Directory Users and Computers). Fortunately, Joe Richards has written PSOMgr (a command line tool to manage fine grain password policy password settings objects) and Christoffer Andersson has a similar tool with MMC/PowerShell interfaces.
One thought on “Fine grained password policies for Windows Server 2008 Active Directory Domain Services”