TSF – Giải pháp IT toàn diện cho doanh nghiệp SMB | HCM

P14 - Master Fine-Grained Password in Server 2025

WinServer2025 – P14 How to Configure Fine-Grained Password Policy

In traditional Active Directory environments, password policy management is limited to a single Default Domain Policy.
This means every user in the domain follows the same password rules — regardless of their role or security level.

With Fine-Grained Password policy (FGPP), administrators can define multiple password policies within the same domain, applying different security standards to different groups.

This guide explains how to configure Fine-Grained Password Policy in Windows Server 2025 using GUI, following best practices.


1️⃣ Definition

🔐 What Is Fine-Grained Password Policy (FGPP)?

FGPP allows you to set MULTIPLE different password policies within the SAME DOMAIN.

By default:

  • Default Domain Policy → Only one policy applies to all users.

Fine-Grained Password Policy allows administrators to define separate password requirements for different user groups instead of being restricted to a single domain-wide policy.


Why FGPP Exists

In real-world environments, not all accounts require the same security level.

Example policy objects:

  • Domain Admin → 15–20 characters, complex

  • IT/Server Admin → 14–16 characters

  • Regular User → 8–10 characters

  • Service Account → Password never expires

👉 Much more flexible and secure.


Practical Example (Very Easy to Understand)

🎯 Requirements:

  • Regular User → Minimum 8 characters

  • IT Admin → Minimum 14 characters

  • Service Account → Password does not expire (e.g., snipe, glpi, ldap user)

Implementation Approach

  • Default Domain Policy:

    • Minimum length = 8

  • FGPP:

    • PSO-IT-Admin → Minimum 14

    • PSO-Service → Password never expires

➡️ Within the same domain, each group follows its own password policy.


FGPP Priority Order (Common Confusion)

If a user is linked to multiple PSOs:

👉 The PSO with the lower “Precedence” value takes priority.

Example:

  • PSO-Admin → Precedence = 1

  • PSO-User → Precedence = 10

➡️ If a user belongs to both groups → PSO-Admin applies.

📌 Smaller number = Higher priority.

If a user is NOT assigned a PSO, the Default Domain Policy will apply.


2️⃣ Configuration

CONFIGURING FGPP USING GUI (RECOMMENDED)


Step 1 – Open Active Directory Administrative Center (ADAC)

On the Domain Controller:

Start → Administrative Tools → Active Directory Administrative Center

In ADAC:

Domain (tsf.local)

→ System
→ Password Settings Container

📌 All FGPP configurations are stored here, NOT in OU.


Step 2 – Create FGPP for IT Admin

🔹 Right-click → New → Password Settings

🔹 Configure as follows:

Name: PSO-IT-Admin
Precedence: 1 (highest priority)

Password Settings

  • Minimum password length: 14

  • Password must meet complexity: ✅

  • Maximum password age: 90 days

  • Enforce password history: 24

  • Minimum password age: 1 day

Lockout Settings

  • Account lockout threshold: 5

  • Lockout duration: 30 minutes

  • Reset lockout counter: 30 minutes


Apply Policy to IT Admin Group

In the Directly Applies To section:

  • Add → Select Security Group (e.g., IT-Admins / Domain Admins / IT Helpdesk)

📌 Best practice: Assign FGPP to GROUP, not directly to user.

👉 Click OK.


Step 3 – Create FGPP for Service Account

Repeat the process:

Name: PSO-Service-Account
Precedence: 2

Password Settings

  • Minimum password length: 20

  • Password complexity: ✅

  • Maximum password age: 0 (Password never expires)

  • Enforce password history: 0

Lockout Settings

  • Account lockout threshold: 0 (no lock)

Directly Applies To

  • Group: Service-Accounts

👉 Click OK.


Step 4 – Verify FGPP Applied to User (Very Important)

Select any user → Right-click → Properties

👉 Open the Password Settings tab.

You should see:

Resultant Password Settings:
PSO-IT-Admin

➡️ If the correct PSO appears → Configuration is successful.


Or Verify Using PowerShell

 
 
Get-ADUserResultantPasswordPolicy user
 

Example:

 
 
Get-ADUserResultantPasswordPolicy snipe
 

If the correct PSO is returned, Fine-Grained Password policy is working properly.


Why Fine-Grained Password Is Essential in Enterprise

Modern IT environments require layered security.
Administrative accounts must follow stricter password requirements than regular users.
Service accounts often require non-expiring passwords to prevent service interruptions.

Without Fine-Grained Password:

  • Only one password policy per domain

  • Limited flexibility

  • Reduced security granularity

With Fine-Grained Password:

  • Role-based password enforcement

  • Higher security for privileged accounts

  • Controlled policies for service accounts

  • Better compliance with security standards

It allows administrators to apply differentiated security models without restructuring the domain.


✅ Conclusion

Fine-Grained Password in Windows Server 2025 enables multiple password policies within a single domain.

It allows you to:

  • Enforce stricter rules for administrators

  • Maintain simpler policies for regular users

  • Configure non-expiring passwords for service accounts

  • Control priority using Precedence

By properly configuring Fine-Grained Password Policy, you significantly increase domain security while maintaining operational flexibility.

For any production Active Directory environment, FGPP should be considered a core security configuration — not an optional enhancement.

See also related articles

P19 – Safely Demote Domain Controller: Critical FSMO Guide

P19 – Safely Demote Domain Controller: Critical FSMO Guide https://youtu.be/vLgyzgmxzPI WinServer 2025 – P19 Demote Domain Controller Holding All FSMO Roles Demoting Domain Controller holding all FSMO roles is a critical operation in any Active Directory infrastructure. If done incorrectly, it can break authentication, replication, and domain services across the...

Read More

P18 – Critical Fix Guide Delete ADC Died Server 2025

P18 – Critical Fix Guide Delete ADC Died Server 2025 https://youtu.be/82fvirmHZ2k WinServer2025 – P18 Critical Fix Remove Dead ADC from Active Directory (Server 2025) When an Additional Domain Controller (ADC) fails permanently, leaving it inside Active Directory can cause serious long-term issues. Replication errors, DNS conflicts, GC problems, and even...

Read More

P17 – Critical Guide Delete PDC Died in Server 2025

P17 – Critical Guide Delete PDC Died in Server 2025 https://youtu.be/ipF1EziL_C8 WinServer2025 – P17 How to Remove a Failed Domain Controller in Windows Server 2025 When a Primary Domain Controller (PDC) fails permanently and cannot be brought back online, simply shutting it down is not enough. The failed controller still...

Read More
💬 TSF Chat Box
Customer Services
Chăm sóc khách hàng