In this blog post, I will show you how to create, configure and apply a fine-grained password policy using PowerShell.
About Fine-Grained Password Policy
First introduced in Windows Server 2008, it allows us to create custom password policies and apply them to users and groups in an Active Directory forest.
About the Process
In this use case, I will create a password policy for an Active Directory group called DBA Administrators; however, this policy can also apply to a user.
Create a Group
To start the process, I will first start with creating an Active Directory group called DBA Administrators using PowerShell.
New-ADGroup -Name "DBA Administrators" -GroupScope Universal
To create my fine-grained password policy, I will use the following cmdlet.
New-ADFineGrainedPasswordPolicy -Name "DBA Administrators PSO" ` -MinPasswordAge 7 ` -MaxPasswordAge 90 ` -PasswordHistoryCount 3 ` -ComplexityEnabled $true ` -Precedence 1 -Verbose
In the last step of this process, I will apply the policy to the BDA Administrators group using the PowerShell cmdlet below.
Add-ADFineGrainedPasswordPolicySubject -Identity "DBA Administrators PSO" -Subjects "DBA Administrators"
To view all the fine-grained policies in my AD forest, I will run the following cmdlet.
Get-ADFineGrainedPasswordPolicy -Filter * | ft