Fine Grained Password Policies
by, 27th February 2011 at 10:51 PM (6473 Views)
Ok, something we are just about to implement - Password Policies for Staff. However, I hear you cry, you can only have one policy per domain - the "Default Domain Policy GPO". Yes - pre Server 2008 that is true...
With Windows Server 2008 you will now be able to define different password account lockout policies within the same domain. Previously this was not possible and this was also one of the reasons many of our customers implemented multiple domains in their forest. With Fine-Grained Password Policies you can assign different policies to users (individually if you want) or groups.
Its in there, but minus a GUI to configure this and you need to use the ADSIedit to create, manage and set the password policies. This is a bit of a pain, as its not the most friendly of beasts - and a licence to break things if you arent careful. If you want to go play the ADSI way, Kurt Roggen has blogged on it HERE.
Me on the other hand, would rather not. There are some community released nifty tools where you can manage the policies through a GUI, command-line or even by using PowerShell.
Some of the best...
Christoffer Andersson's Fine Grained Password Policy Tool (inc some Powershell snap ins)
Dmitry Sotnikov's Fine Grained Password Policies POWERGUI
Joe Richards (MVP) PSOMgr
Total Trackbacks 0