Fine Grain Password Policies (FGPP)


    Having played with FGPP's recently at Teched, I figured that it would be good to publish the attributes that are required to create one and their value types.

The attributes required for creating a fine grain password policy.


 This is just a number you can make up (make sure you leave some space in the numbering for future use) 


 This attribute is boolean and defines if you want to store the passwords of the accounts (to whom the Password Settings Object applies) in reversible encryption or not. The default and best practice is "FALSE"

 This setting defines how many old passwords the user cannot reuse again (to prevent the user from changing the password back and forward to the same one, or changing it multiple times until he's able to reuse his old password).
The domain default is not to allow the last 24 passwords of that user.

 This attribute is a boolean, and defines if the password needs to be complex (does have at least three of the following character sets applied: lower letters, captial letters, numbers, symbols, unicode characters).
The domain default and best practice would  be to turn it on (TRUE).

 This attribute defines the minimum lenght of a Password in characters. The domain default would be 7 characters long.

Defining the minimum age for Passwords.  This is a negative number which you can compile/decompile using the scripts at as a guideline.
(domain default: 1 day = -864000000000)

Defining the maximum age for Passwords.
This is a negative number.
(domain default: 42 days = -36288000000000)

 Defines after how many failed attempts entering a password the user-object will be locked.
(domain default: 0 = don't lockout accounts after invalid passwords)

 After which time should the "bad password counter" been reset?
(domain default: 6 min = -18000000000)

 How long should a password being locked?
(domain default: 6 min = -18000000000)

I hope you find this useful :)