Active Directory usually has a single password policy that is applied to all users. This is will typically be in the default domain policy unless a new group policy is created. 

There are certain scenario where we might want to have a different password policy, Admin users, testing password resets, service accounts…

With fine grained password policies, we can target either specific users or groups and assign them a specific password policy.

In this post we will be going through creating and assigning a fine grained password policy.

To start we need to open ADAC (Active Directory Administrative Center.

Next we need to add the node to view the password settings container. Select Managed and Add Navigation Nodes.

Select the required domain > System > Password Settings Container and add, the name can be customized I just used Password Settings Container.

To create the policy select the password node, right click, select new and Password Settings.

The below table shows each setting with a short description of each.

Set the required setting values. I would recommend assigned to a test group first to confirm all setting work as expected before applying to standard users .

Click ok and policy should now show.

To view if the password policy is applied select a users, right click and select view resultant password settings.

If the user doesn’t have policy applied you will receive a warning.

We can also create a password policy using PowerShell, this can be usefully if you need to script multiple policy.

We can use the below to create the policy I used PowerShell splatting to make the command shorter and easier to read.

$PassPolicy = @{

Name = "Name"
ComplexityEnabled = $true
LockoutDuration = "00:30:00"
LockoutObservationWindow = "00:30:00"
LockoutThreshold = "0"
MaxPasswordAge = "360.00:00:00"
MinPasswordAge = "1.00:00:00"
MinPasswordLength = "7"
PasswordHistoryCount = "24"
Precedence = "12"
ProtectedFromAccidentalDeletion = $true
}

New-ADFineGrainedPasswordPolicy @PassPolicy

Next we can run the below command to return the password policies.

Get-ADFineGrainedPasswordPolicy -Filter * | Select-Object Name

Last step is to apply the policy to either the user or group.

Add-ADFineGrainedPasswordPolicySubject Password_Policy_Name  -Subjects Group

Setting up a fine-grained password policy in Microsoft Active Directory is great way to enhance security by applying custom password and account lockout settings to specific user or groups.

After implementing the policy, it’s important to monitor and review its impact. Reviewing these settings over time can help maintain a balance between strong security and user convenience.

This is a quick post to go through an issue I ran in to when applying the Active Directory (AD) domain re-use policy. I have a post on setting up the domain re-use policy.

Even though the policy was configured and the user I was attempting to re-join the computer to AD I was still getting the domain error

Account exists and re-use is blocked by policy.

When looking through the netsetup logs under C:\Windows\debug, I was getting the following error.

Active Directory Policy check with SAM_DOMAIN_JOIN_POLICY_LEVEL_V2 returned NetStatus:0x5.

This issue was caused by having the following security option policy set Network access: Restrict clients allowed to make remote calls to SAM

This policy is recommend to improve security in AD, but by default it will only allow members of the administrators group in AD connect remotely to the Security Accounts Manager (SAM) database.

To fix the issue I added the same group used for domain joins to the policy to allow the domain re-join accounts to also be able to make remote calls to SAM.

Once the policy is updated on all DC’s the domain join should now work correctly.