🟑 Medium   ⏱ 5–30 min  Last verified: 02 April 2027
Affected versions: Windows Server 2019

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Attempts to deploy modern password policy (e.g., 14-character minimum, banned password lists) on Windows Server 2019 domains fail or produce no effect because the domain functional level is too low or fine-grained PSOs are misconfigured.

Environment & Reproduction

Reproducible by editing Default Domain Policy and running gpupdate.

Get-ADDomain | Select DomainMode
Get-ADDefaultDomainPasswordPolicy

Root Cause Analysis

Some features require DFL Windows Server 2008 or higher; legacy DFLs ignore newer settings.

Quick Triage

Check DFL and current policy.

Get-ADDomain | Format-List
Get-ADDefaultDomainPasswordPolicy
Get-ADFineGrainedPasswordPolicy -Filter *

Step-by-Step Diagnosis

Validate DC raise prerequisites.

Get-ADDomainController -Filter * | Select Name,OperatingSystem
dcdiag /test:dcpromo /dnsdomain:corp.local

Solution – Primary Fix

Raise DFL and apply the policy.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-ADDomainMode -Identity corp.local -DomainMode Windows2016Domain
Set-ADDefaultDomainPasswordPolicy -Identity corp.local -MinPasswordLength 14 -PasswordHistoryCount 24

Solution – Alternative Approaches

Use PSOs for selective populations if a full domain raise is risky.

New-ADFineGrainedPasswordPolicy -Name 'Admins-PSO' -Precedence 10 -MinPasswordLength 16 -PasswordHistoryCount 24
Add-ADFineGrainedPasswordPolicySubject -Identity 'Admins-PSO' -Subjects 'Domain Admins'

Verification & Acceptance Criteria

New password policy applies and Get-ADUserResultantPasswordPolicy returns expected values.

Get-ADUserResultantPasswordPolicy -Identity jdoe
Get-ADDefaultDomainPasswordPolicy

Rollback Plan

Lower DFL is not supported; rollback requires forest planning. Revert PSOs if disruptive.

Remove-ADFineGrainedPasswordPolicySubject -Identity 'Admins-PSO' -Subjects 'Domain Admins'

Prevention & Hardening

Plan DFL upgrades with pilot DCs and align password policy with industry baselines.

Get-ADDomain | Select DomainMode
Get-ADForest | Select ForestMode

Linked with fine-grained PSO issues and LAPS rotations.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Domain functional levels and password policies.

Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
Diagnostics commands in PowerShell β€” Illustrative mockup β€” Progressive Robot
Illustrative mockup for windows-server-2019 β€” event_or_log_viewer
Event log verification for Windows Server 2019 β€” Illustrative mockup β€” Progressive Robot

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.