Fine grained password policies (FGPP) were introduced back in Server 2008, and the process for creating them, whilst not massively difficult wasn’t particularly intuitive. Microsoft have improved this a lot with Server 2012, custom password policies are now easier to create, assign and monitor.

How to Create a Password Setting

Open Active Directory Administrative Center, expand System, find the password settings container, select new and password settings.

2012-FineGrained-1

These settings should all be familiar to you, if you’ve ever set a domain password policy before with group policy. If not, please refer to this Technet page for more detail about each of the settings.

In this example I’ve disabled the account lockout policy, and added the Sales security group.

2012-FineGrained-2

To add users or groups, select add and find the object in Active Directory.

2012-FineGrained-6

View members of a password setting, or check if a user has a password setting applied

There are two easy ways to find which users or groups are assigned to a custom password setting, or if a user is a member of a password setting.

To find what users/groups are members of a custom password setting, simply find the policy in the password settings container and double click. View the “Directly applies to” box, to view the members (See the 2nd screenshot above for an example).

2012-FineGrained-3

To see if I particular user has a custom policy against it, simply right click the user within the Active Directory Administrative Center and select view resultant password settings. If there is a password setting against the user, it will open the policy to expose the current settings.

2012-FineGrained-4

If a user does not have a custom password policy, it will show you a message stating “User does not have resultant fine grained password settings. Please check the user’s domain password settings.”

2012-FineGrained-5

Much easier, I’m sure you’ll agree.