P14 - Master Fine-Grained Password in Server 2025
WinServer2025 – P14 How to Configure Fine-Grained Password Policy
In traditional Active Directory environments, password policy management is limited to a single Default Domain Policy.
This means every user in the domain follows the same password rules — regardless of their role or security level.
With Fine-Grained Password policy (FGPP), administrators can define multiple password policies within the same domain, applying different security standards to different groups.
This guide explains how to configure Fine-Grained Password Policy in Windows Server 2025 using GUI, following best practices.
1️⃣ Definition
🔐 What Is Fine-Grained Password Policy (FGPP)?
FGPP allows you to set MULTIPLE different password policies within the SAME DOMAIN.
By default:
Default Domain Policy → Only one policy applies to all users.
Fine-Grained Password Policy allows administrators to define separate password requirements for different user groups instead of being restricted to a single domain-wide policy.
Why FGPP Exists
In real-world environments, not all accounts require the same security level.
Example policy objects:
Domain Admin → 15–20 characters, complex
IT/Server Admin → 14–16 characters
Regular User → 8–10 characters
Service Account → Password never expires
👉 Much more flexible and secure.
Practical Example (Very Easy to Understand)
🎯 Requirements:
Regular User → Minimum 8 characters
IT Admin → Minimum 14 characters
Service Account → Password does not expire (e.g., snipe, glpi, ldap user)
Implementation Approach
Default Domain Policy:
Minimum length = 8
FGPP:
PSO-IT-Admin → Minimum 14
PSO-Service → Password never expires
➡️ Within the same domain, each group follows its own password policy.
FGPP Priority Order (Common Confusion)
If a user is linked to multiple PSOs:
👉 The PSO with the lower “Precedence” value takes priority.
Example:
PSO-Admin → Precedence = 1
PSO-User → Precedence = 10
➡️ If a user belongs to both groups → PSO-Admin applies.
📌 Smaller number = Higher priority.
If a user is NOT assigned a PSO, the Default Domain Policy will apply.
2️⃣ Configuration
CONFIGURING FGPP USING GUI (RECOMMENDED)
Step 1 – Open Active Directory Administrative Center (ADAC)
On the Domain Controller:
Start → Administrative Tools → Active Directory Administrative Center
In ADAC:
Domain (tsf.local)
→ System
→ Password Settings Container
📌 All FGPP configurations are stored here, NOT in OU.
Step 2 – Create FGPP for IT Admin
🔹 Right-click → New → Password Settings
🔹 Configure as follows:
Name: PSO-IT-Admin
Precedence: 1 (highest priority)
Password Settings
Minimum password length: 14
Password must meet complexity: ✅
Maximum password age: 90 days
Enforce password history: 24
Minimum password age: 1 day
Lockout Settings
Account lockout threshold: 5
Lockout duration: 30 minutes
Reset lockout counter: 30 minutes
Apply Policy to IT Admin Group
In the Directly Applies To section:
Add → Select Security Group (e.g., IT-Admins / Domain Admins / IT Helpdesk)
📌 Best practice: Assign FGPP to GROUP, not directly to user.
👉 Click OK.
Step 3 – Create FGPP for Service Account
Repeat the process:
Name: PSO-Service-Account
Precedence: 2
Password Settings
Minimum password length: 20
Password complexity: ✅
Maximum password age: 0 (Password never expires)
Enforce password history: 0
Lockout Settings
Account lockout threshold: 0 (no lock)
Directly Applies To
Group: Service-Accounts
👉 Click OK.
Step 4 – Verify FGPP Applied to User (Very Important)
Select any user → Right-click → Properties
👉 Open the Password Settings tab.
You should see:
Resultant Password Settings:
PSO-IT-Admin
➡️ If the correct PSO appears → Configuration is successful.
Or Verify Using PowerShell
Example:
If the correct PSO is returned, Fine-Grained Password policy is working properly.
Why Fine-Grained Password Is Essential in Enterprise
Modern IT environments require layered security.
Administrative accounts must follow stricter password requirements than regular users.
Service accounts often require non-expiring passwords to prevent service interruptions.
Without Fine-Grained Password:
Only one password policy per domain
Limited flexibility
Reduced security granularity
With Fine-Grained Password:
Role-based password enforcement
Higher security for privileged accounts
Controlled policies for service accounts
Better compliance with security standards
It allows administrators to apply differentiated security models without restructuring the domain.
✅ Conclusion
Fine-Grained Password in Windows Server 2025 enables multiple password policies within a single domain.
It allows you to:
Enforce stricter rules for administrators
Maintain simpler policies for regular users
Configure non-expiring passwords for service accounts
Control priority using Precedence
By properly configuring Fine-Grained Password Policy, you significantly increase domain security while maintaining operational flexibility.
For any production Active Directory environment, FGPP should be considered a core security configuration — not an optional enhancement.
See also related articles
P19 – Safely Demote Domain Controller: Critical FSMO Guide
P19 – Safely Demote Domain Controller: Critical FSMO Guide https://youtu.be/vLgyzgmxzPI WinServer 2025 – P19 Demote Domain Controller Holding All FSMO Roles Demoting Domain Controller holding all FSMO roles is a critical operation in any Active Directory infrastructure. If done incorrectly, it can break authentication, replication, and domain services across the...
Read MoreP18 – Critical Fix Guide Delete ADC Died Server 2025
P18 – Critical Fix Guide Delete ADC Died Server 2025 https://youtu.be/82fvirmHZ2k WinServer2025 – P18 Critical Fix Remove Dead ADC from Active Directory (Server 2025) When an Additional Domain Controller (ADC) fails permanently, leaving it inside Active Directory can cause serious long-term issues. Replication errors, DNS conflicts, GC problems, and even...
Read MoreP17 – Critical Guide Delete PDC Died in Server 2025
P17 – Critical Guide Delete PDC Died in Server 2025 https://youtu.be/ipF1EziL_C8 WinServer2025 – P17 How to Remove a Failed Domain Controller in Windows Server 2025 When a Primary Domain Controller (PDC) fails permanently and cannot be brought back online, simply shutting it down is not enough. The failed controller still...
Read More

