Step-by-Step Guide to Fine-Grained Passwords in Windows Server 2008

I find it’s best to work with an example to demonstrate a solution, so in this case we will assume that you have a number of users who are Special Administrators and require a stronger password group policy than the standard user.  We will refer to these users as SpecialAdmins

In the following steps, we will configure a fine-grained password policy in Windows Server 2008 with the following settings:

Policy Name Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 30 days
Minimum password age 1 day
Minimum password length 12 characters
Passwords must meet complexity requirements Disabled
Account lockout duration 0
Account lockout threshold 3
Reset account lockout counter after 30 minutes

Table 1: Password Policy

Note: yourdomainname in the following steps should be replaced with the NETBIOS name of your domain.

  1. Logon to a Windows Server 2008 domain controller using an account that has membership in the Domain Admins group, or equivalent permissions.
  2. Go to Start, Administrative Tools, and then select Active Directory Users and ComputersActive Directory Users and Computers
  3. Expand, right-click on the Users container, select New, and then select Group.
  4. On the New Object – Group window, enter SpecialAdmins into the Group Name field, and then click OKNew Object - Group
  5. Close Active Directory Users and Computers
  6. Click Start, click RUN, type ADSIEDIT.MSC, and then click OK 


  7. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to
  8. In the Name field, enter, and then click OK
  9. Double-click in the console tree, double-click DC=yourdomainname,DC=com, double-click CN=System, and then click CN=Password Settings Container 

    CN=Password Settings Container

  10. Right-click CN=Password Settings Container in the console tree, click New, and then click ObjectPassword Settings Container - New Object
  11. In the Create Object dialog box, under Select a class, click msDC-PasswordSettings, and then click Next.Create Object - msDS-PasswordSettings
  12. In the Create Object dialog box, enter SpecialAdmins in the Value field, and then click Next.Create Object - msDS-PasswordSettings Value
  13. For the msDS-PasswordSettingsPrecedence value, enter 1, and then click NextmsDS-PasswordSettingsPrecedence
  14. For the msDS-PasswordReversibleEncryptionEnabled value, enter false, and then click NextmsDS-PasswordReversibleEncryptionEnabled
  15. For the msDS-PasswordHistoryLength value, enter 24, and then click NextmsDS-PasswordHistoryLength
  16. For the msDS-PasswordComplexityEnabled value, enter false, and then click NextmsDS-PasswordComplexityEnabled
  17. For the msDS-MinimumPasswordLength value, enter 12, and then click NextmsDS-MinimumPasswordLength
  18. For the msDS-MinimumPasswordAge, enter 1:00:00:00, and then click NextmsDS-MinimumPasswordAge
  19. For the msDS-MaximumPasswordAge, enter 30:00:00:00, and then click NextmsDS-MaximumPasswordAge
  20. For the msDS-LockoutThreshold, enter 3, and then click NextmsDS-LockoutThreshold
  21. For the msDS-LockoutObservationWindow, enter 0:00:30:00, and then click NextmsDS-LockoutObservationWindow
  22. For the msDS-LockoutDuration, enter (never), and then click Next, then click FinishmsDS-LockoutDuration
  23. Right-click on CN=SpecialAdmins in the console tree, and then select PropertiesmsDS-PasswordSettings Properties
  24. On the CN=SpecialAdmins Properties window, select the msDS-PSOAppliesTo attribute, and then click the Edit buttonmsDS-PSOAppliesTo
  25. On the Multi-valued Distinguished Name With Security Principal Editor window, click on the Add Windows Account buttonMulti-valued Distinguished Name With Security Principal Editor
  26. On the Select Users, Computers, or Groups window, enter SpecialAdmins in the Enter the object names to select field, and then click OKSelect Users, Computers, or Groups
  27. Click OK on the Multi-valued Distinguished Name With Security Principal Editor window
  28. Click OK on the CN=SpecialAdmins Properties windowmsDS-PSOAppliesToSetting

For More Reference:-


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s