Fine-grained password polices are certainly an important enhancement of Windows Server 2008. Whereas in Windows Server 2003 domains, you can only have one policy for all user groups, Windows Server 2008 domains’ fine-grained password polices allow you to configure password and lockout polices for different sets of users. The only problem with this new feature is that configuring it is quite labor-intensive. I described the configuration of Windows Server 2008’s fine-grained policies in detail a while back. With Specops Password Policy Basic, a free tool, it is much easier to define and manage policies.
Latest posts by Michael Pietroforte (see all)
- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
The tool requires that .NET Framework 2 and Microsoft Management Console (MMC) 3 be installed. It also seems to need PowerShell, as I only could install it after I added this Windows Server 2008 feature. Also keep in mind that the domain’s functional level must be that of Windows Server 2008, as former Active Directory versions don’t support fine-grained password polices.
Configuring a password policy for a user group is only a matter of seconds with Specops Password Policy Basic. You just have to create the new policy, configure policies, and then add the user groups to which you want to apply the rule set. Note that you can’t add empty user groups to a policy, so there should be at least one user in any group that you add.
Specops Password Policy Basic displays all configured polices in a table, which gives you a good overview of your settings. You can easily define the precedence order by moving the row in question up or down. If a user is a member of multiple groups with different password policies, then the precedence order decides which policy will be applied. You can also look up the effective password policy for a specific user. In addition, it is possible to list all users that belong to a specific policy. This feature is useful if you have applied a rule set to multiple groups.
Specops Password Policy Basic is a part of Microsoft’s Windows Server 2008 Resource Kit, but you can also download the tool for free from the vendor’s web site. There is also a commercial version, Specops Password Policy, which offers additional features, such as uppercase/lowercase policies or dictionary checks.