How to Configure Windows Server 2016 Fine-Grained Password Policy

Prior to Windows Server 2008, Active Directory supported only a single domain-wide password policy and account lockout policy, defined in the Default Domain Policy GPO. Fine-Grained Password Policies (FGPP), introduced in Windows Server 2008 and fully supported in Windows Server 2016, allow administrators to define multiple password and lockout policies and apply different policies to different users or groups within the same domain. This enables stricter requirements for privileged accounts while maintaining more user-friendly policies for standard users.

Prerequisites

Fine-Grained Password Policies require the domain functional level to be Windows Server 2008 or higher. The policies are stored as Password Settings Objects (PSOs) in the Password Settings Container (PSC) located at CN=Password Settings Container,CN=System,DC=domain,DC=com. They can be applied directly to users or to global security groups. They cannot be applied to OUs — this is a common misconception.

PSO Attributes

A Password Settings Object contains the following configurable attributes that mirror the account policy settings in the Default Domain Policy:

msDS-PasswordSettingsPrecedence — an integer that determines priority when multiple PSOs apply to the same user (lower value wins). msDS-PasswordReversibleEncryptionEnabled — whether passwords are stored with reversible encryption. msDS-PasswordHistoryLength — number of previous passwords remembered. msDS-PasswordComplexityEnabled — whether complexity requirements are enforced. msDS-MinimumPasswordLength — minimum number of characters. msDS-MinimumPasswordAge — minimum time before a password can be changed (in days). msDS-MaximumPasswordAge — maximum password age before expiry. msDS-LockoutThreshold — failed attempts before lockout. msDS-LockoutObservationWindow — time window for counting failed attempts. msDS-LockoutDuration — how long the account remains locked.

Creating a PSO Using Active Directory Administrative Center

The Active Directory Administrative Center (ADAC) provides the most user-friendly GUI for managing PSOs. Open ADAC (dsac.exe), navigate to your domain, then open the System container and find Password Settings Container. Right-click and select New > Password Settings. Fill in all required fields and click the Add button to associate the PSO with users or groups.

Creating a PSO Using PowerShell

PowerShell provides the most efficient method for creating PSOs, especially when deploying multiple policies. The New-ADFineGrainedPasswordPolicy cmdlet is available when the ActiveDirectory module is loaded:

Import-Module ActiveDirectory

New-ADFineGrainedPasswordPolicy -Name "PrivilegedAccounts_PSO" `
    -Precedence 10 `
    -MinPasswordLength 20 `
    -PasswordHistoryCount 24 `
    -ComplexityEnabled $true `
    -ReversibleEncryptionEnabled $false `
    -MinPasswordAge "1.00:00:00" `
    -MaxPasswordAge "60.00:00:00" `
    -LockoutThreshold 3 `
    -LockoutObservationWindow "0.00:30:00" `
    -LockoutDuration "0.00:30:00" `
    -Description "High-security policy for Domain Admins and privileged accounts"

Create a standard user policy with lower precedence (higher number = lower priority):

New-ADFineGrainedPasswordPolicy -Name "StandardUsers_PSO" `
    -Precedence 100 `
    -MinPasswordLength 12 `
    -PasswordHistoryCount 12 `
    -ComplexityEnabled $true `
    -ReversibleEncryptionEnabled $false `
    -MinPasswordAge "1.00:00:00" `
    -MaxPasswordAge "90.00:00:00" `
    -LockoutThreshold 5 `
    -LockoutObservationWindow "0.00:15:00" `
    -LockoutDuration "0.00:15:00" `
    -Description "Standard password policy for all domain users"

Applying a PSO to a Group

After creating the PSO, link it to the appropriate security group. It is best practice to apply PSOs to global security groups rather than individual users, which makes management easier:

Add-ADFineGrainedPasswordPolicySubject -Identity "PrivilegedAccounts_PSO" -Subjects "Domain Admins"
Add-ADFineGrainedPasswordPolicySubject -Identity "PrivilegedAccounts_PSO" -Subjects "Enterprise Admins"
Add-ADFineGrainedPasswordPolicySubject -Identity "StandardUsers_PSO" -Subjects "Domain Users"

Viewing PSO Assignments

To see which PSOs are applied to a specific group:

Get-ADFineGrainedPasswordPolicySubject -Identity "PrivilegedAccounts_PSO"

To determine the resultant PSO applied to a specific user (the Resultant PSO):

Get-ADUserResultantPasswordPolicy -Identity jsmith

This command returns the PSO that will actually be applied to the user, taking into account precedence when multiple PSOs apply. If no PSO applies, the Default Domain Policy password settings are used.

Listing All PSOs in the Domain

Get-ADFineGrainedPasswordPolicy -Filter * | Select-Object Name, Precedence, MinPasswordLength, MaxPasswordAge, LockoutThreshold | Format-Table -AutoSize

Modifying an Existing PSO

To update a PSO after creation, use Set-ADFineGrainedPasswordPolicy:

Set-ADFineGrainedPasswordPolicy -Identity "StandardUsers_PSO" -MinPasswordLength 14 -LockoutThreshold 10

Removing a PSO

To remove a PSO, first remove any subject assignments and then delete the PSO:

Remove-ADFineGrainedPasswordPolicySubject -Identity "StandardUsers_PSO" -Subjects "Domain Users"
Remove-ADFineGrainedPasswordPolicy -Identity "StandardUsers_PSO" -Confirm:$false

Precedence Resolution

When a user is a member of multiple groups that have different PSOs applied, the PSO with the lowest precedence value wins. If a PSO is assigned directly to a user, it always takes priority over group-assigned PSOs regardless of precedence number. If two PSOs with the same precedence number apply to the same user, Active Directory uses the ObjectGUID to break the tie, which is essentially arbitrary — so always use unique precedence values.

Best Practices

Apply PSOs to groups rather than individual users for manageability. Use low precedence numbers (1-10) for high-priority policies targeting privileged accounts. Document all PSOs, their purpose, and their subjects. Ensure the Default Domain Policy password settings serve as a baseline for users who do not match any PSO. Require longer, more complex passwords for administrative accounts. Consider using passphrases rather than complex short passwords for better security and usability. Review PSO assignments quarterly to ensure they remain appropriate.

Fine-Grained Password Policies give Windows Server 2016 administrators the granular control over authentication security that was not possible in earlier versions of Active Directory. Using PSOs correctly strengthens your security posture while preserving usability for standard users.