Set Up Fine-Grained Password Policies in Active Directory

On Day 16 of Cybersecurity Awareness Month, learn how to set up fine-grained password policy for users and groups in your Active Directory environment to strengthen security and protect critical accounts. Stay tuned for more blogs in the Cybersecurity blog series.

Managing passwords is not just about enforcing complexity—it’s about precision and control. Traditional policies treat all users the same and put high-privileged accounts at risk. ⚠️ For example, an admin using a short or reused password under the same rules as regular users becomes an easy target and threatens critical systems and sensitive data.

“A strong password is the first line of defense in a digital world.”

That is why organizations need targeted, role-specific password complexity rules to ensure users create strong and secure passwords. Administrators can enforce these by configuring Fine-Grained Password Policies (FGPP) for specific users and groups. Before diving into how FGPP works, it’s important to understand why such granular control is critical in Active Directory environments.

Weak passwords can be easily guessed or cracked using brute-force or dictionary attacks, which gives attackers unauthorized access to user accounts and sensitive data. If this happens, attackers can escalate privileges, move laterally across the network, and potentially take control of critical systems.

To mitigate these risks, administrators need more granular control over password policies, which is exactly what FGPP provides. Fine-Grained Password Policies help enforce strong, complex passwords and apply appropriate password policies.

Default domain password policies enforce the same complexity rules for every user. However, not all accounts carry the same level of risk. For instance, a domain administrator account requires stronger protection than a standard user account.

Fine-Grained Password Policies solves this problem by letting administrators set different password rules. They can create stronger rules for high-privileged accounts while keeping passwords easy to manage for regular users.

Understanding how FGPPs differ from default domain policies helps highlight their advantages and shows why they are necessary.

Default domain password policies are configured through Group Policy Objects (GPOs) in the Default Domain Policy. These apply broadly across the domain and indirectly affect users via the computers they log in to locally.

Here are the key differences between fine-grained password policies and default domain password policies:

• Scope- GPO applies to users indirectly through computers, whereas FGPPs apply directly to specific users and groups.
• Precedence- FGPPs can override default domain password policies, which allows stricter enforcement for targeted accounts.
• Flexibility– FGPPs enable different password policies for different roles, offering a more tailored approach.

Now that the importance and benefits of Fine-Grained Password Policies are clear, let’s go ahead and set them up in your environment. There are two ways to configure them.

• Create fine-grained password policies in ADAC
• How to create fine-grained password policy using PowerShell

You can configure FGPPs in the Active Directory Administrative Center (ADAC) by creating ‘Password Settings’ within the Password Settings Container to define targeted password rules for specific users and groups.

Use the following steps to create stronger and role-specific password rules for users in Active Directory.

1. Open the Active Directory Administrative Center (ADAC). Click on your domain and navigate to System → Password Settings Container.
2. In the upper right corner, choose New → Password Settings.
   
3. Configure the password parameters such as complexity, lockout threshold, password length, and history count.
4. Assign the policy to specific users or groups from ‘Directly Applies To‘ section.
5. Finally, click Ok to create the policy.

Once the password policy is created, administrators can easily modify or remove existing fine-grained password policies as organizational needs.

PowerShell offers a fast and efficient way to create a fine-grained password policy. This approach lets you complete the task easily without navigating through multiple menus and clicks.
You can use cmdlets like New-ADFineGrainedPasswordPolicy, Add-ADFineGrainedPasswordPolicySubject, and Get-ADUserResultantPasswordPolicy to create, assign, and verify password policies.

Open PowerShell as administrator and run the cmdlet below to create a fine-grained password policy.

Here, a password policy name “Policy for Trainee” is created with specific rules for password length, complexity, and account lockout settings.

After creating a policy, assign the policy to groups or users by using the following cmdlet.

Here the user with logon name “Billa” and the security group “Trainee25” is assigned to the policy named “Policy for Trainee”

When a user falls under more than one policy, the one with the lowest precedence number takes effect. If two policies share the same precedence, the policy with the lower GUID is applied.

Check Which Fine-Grained Password Policies Applied to a User

A user might be affected by multiple fine-grained password policies (FGPPs) through different group memberships. To find out which policies are applied to the user, use the following PowerShell cmdlet.

Replace the with respective username of the user in the cmdlet.

Regularly reviewing your FGPPs helps ensure they’re correctly configured and aligned with your organization’s security standards. You can use the following cmdlet to list all password policies in your environment.

We hope this blog helps you understand how to configure and manage fine-grained password policies in Active Directory. Tailoring these policies to your organization’s security needs strengthens passwords, improves compliance, and enhances overall account protection. Stay tuned for more practical tips to keep your organization safe from evolving threats.