Create a Fine-Grained Password Policy with PowerShell

In this blog post, I will show you how to create, configure and apply a fine-grained password policy using PowerShell.

About Fine-Grained Password Policy

First introduced in Windows Server 2008, it allows us to create custom password policies and apply them to users and groups in an Active Directory forest.

About the Process

In this use case, I will create a password policy for an Active Directory group called DBA Administrators; however, this policy can also apply to a user.

Create a Group

To start the process, I will first start with creating an Active Directory group called DBA Administrators using PowerShell.

New-ADGroup -Name "DBA Administrators" -GroupScope Universal

Create Policy

To create my fine-grained password policy, I will use the following cmdlet.

New-ADFineGrainedPasswordPolicy -Name "DBA Administrators PSO" `
-MinPasswordAge 7 `
-MaxPasswordAge 90 `
-PasswordHistoryCount 3 `
-ComplexityEnabled $true `
-Precedence 1 -Verbose

Apply Policy

In the last step of this process, I will apply the policy to the BDA Administrators group using the PowerShell cmdlet below.

Add-ADFineGrainedPasswordPolicySubject -Identity "DBA Administrators PSO" -Subjects "DBA Administrators"

Get Polices

To view all the fine-grained policies in my AD forest, I will run the following cmdlet.

Get-ADFineGrainedPasswordPolicy -Filter * | ft

Success! You're on the list.