question

FedericoCoppola-2569 avatar image
1 Vote"
FedericoCoppola-2569 asked FedericoCoppola-2569 answered

Fined-Password Policy does not working properly

Hi all,
I created and configured domain password policy using Fined-Password Policy.
I created a Security Group to apply this password policy to a few users of Active Directory.

My issue is that users that are NOT inside the Security Group ask minimum requirement about password policy.

55619-image.png



Here you can see settings:
55723-image.png
55761-image.png

The name of Security Group is "Password Policy".

How can I do it?
I would that user that are not member of this group are free to set "weak password"

Thanks in advanced
Best regards
Federico

windows-serverwindows-active-directorywindows-server-securitywindows-server-2012
image.png (21.6 KiB)
image.png (8.5 KiB)
image.png (82.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
1 Vote"
Thameur-BOURBITA answered

Hi,

You can use this powershell command get-aduserresultantpasswordpolicy to check if there is a password policy already applied on this user:

get-aduserresultantpasswordpolicy


If you want enable weak password for this user, you can create another password policy with the following settings :

  • complexity disabled

  • Minimum password length => 0

  • PasswordHistoryCount => 0

new-adfinegrainedpasswordpolicy





Please don't forget to mark helpful reply as answer



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
1 Vote"
FanFan-MSFT answered

Hi,

Fine-grained password policies apply only to global security groups and user objects.
Will the FGPP work if you assign the policy to user objects directly?
https://docs.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered

Hi,
Thanks for your reply.

My FGPP works properly with AD Users inside "PasswordPolicy" Security Group.

I noted that now I can not create new user, that is not inside "PasswordPolicy" group with weak password. Is it normal?

@Thameur-BOURBITA
I have create new test user inside Active Directory and I had to set complex password and it is not member of "PasswordPolicy" group

56391-image.png

My goal is:

1) Users inside "PasswordPolicy" group --> they must set strong password
2) Users not member of "PasswordPolicy" group --> they can set weak password. These accounts are not used for users or important account.

I hope to be clear
Thanks


image.png (30.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered

Hi,
I created a new policy inside FGPP configuration menu.
I applied this new policy to "Domain Users" group as @Thameur-BOURBITA said.

56373-image.png

In my case the main policy (strong password) has got priority value as 1, this second policy has got priority value as 2.

I tested the new policy creating a new account and it works fine.

56344-image.png

Thanks so much for your help
Federico


image.png (77.8 KiB)
image.png (17.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi,

I noted that now I can not create new user, that is not inside "PasswordPolicy" group with weak password. Is it normal?

Yes it's normal , because the password policy defined on default domain GPO will be applied by default on new user until it will be added on group set on one of your FGPP.
Regarding new user , you can modify default domain GPO or create new FGPP as you did.



Please don't forget to mark helpful reply as answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered

@Thameur-BOURBITA
Thanks very clear!

Best regards
Federico

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.