Pricing  Get Quote
 

Fine-grained password policy (FGPP)

Active Directory comes bundled with a default password policy that defines configurable rules for user account password creation. The rules include minimum and maximum password age, length, complexity, history, and encryption settings. This traditional password policy, however, cannot be customized for a specific set of users, groups, or OUs because it is only applicable to the entire domain to which it is linked. To overcome this significant drawback, Active Directory offers the fine-grained password policy (FGPP) feature (in Windows Server 2008 and later versions) that allows password policies to be tailored to different users and groups within the domain.

The scope and functionality of an FGPP

  • To use an FGPP, the domain must operate at a functional level of Windows Server 2008 and above.
  • FGPPs work by creating multiple Password Settings Objects (PSOs) inside the domain. Password and account lockout policies can be customized in each PSO.
  • Domain admins or users with delegated permissions can create and assign PSOs in the Active Directory Administrative Center or using PowerShell. For detailed steps, visit this webpage.
  • FGPP PSOs are applicable only to user objects and global security groups.
  • When an FGPP is applied to a set of users or global security groups in a domain, the default domain password policy is no longer applicable to those objects.
  • FGPPs can be used in cases where user accounts accessing sensitive data or synchronized with multiple confidential data sources require stricter password and account lockout policies.

Drawbacks of FGPPs

  • FGPPs do not do justice to the term "fine-grained" since they are not applicable to OUs.
  • They are not deployed using Group Policy Objects and take effect for users only based on their group memberships.
  • Applying and managing multiple FGPPs can be a challenging task due to the complications involved in keeping track of the assigned policies.
  • Because of their limited password and account lockout settings, FGPPs cannot meet password compliance regulations such as the NIST password standards.
  • FGPPs cannot prevent sophisticated, modern password attacks like dictionary and brute-force attacks.

How ADSelfService Plus fortifies passwords to secure identities

ADSelfService Plus offers the Password Policy Enforcer feature to help employees in your organization set NIST-compliant, sophisticated passwords that are almost impossible to crack. With ADSelfService Plus, you can enforce custom password policies that seamlessly integrate with the built-in Active Directory password policies, providing more granular control than the latter. These custom password policies provide numerous intricate password settings, including restrictions on custom dictionary words, palindromes, and character repetitions.

  • Restrict characters: These password policy settings include mandating the number of special, numeric, and Unicode characters. You can also set the type of character with which the password must begin.

    Fine-grained password policy (FGPP)

  • Restrict repetition: These settings restrict the use of consecutive characters from usernames or previous passwords. Consecutive repetition of the same character can also be restricted.

    Fine-grained password policy (FGPP)

  • Restrict pattern: The settings under this tab restrict custom dictionary words, patterns, and palindromes that might be commonly used.

    Fine-grained password policy (FGPP)

  • Restrict length: These rules let you set both a minimum and maximum number of characters for the password.

    Fine-grained password policy (FGPP)

Still wondering if your organization should try ADSelfService Plus? Here is why you should not hesitate:

ADSelfService Plus' Password Policy Enforcer gives you the following benefits:

  • Helps users pick strong passwords
  • Encourages passphrases
  • Implements granular password policies
  • Analyzes password strength
  • Enforces policies universally
  • Meets compliance regulations
  • Enhances the user experience

Reinforce your business's cyberdefense with ADSelfService Plus, an integrated self-service password management, multi‑factor authentication, and single sign-on solution that helps your employees adopt best practices for passwords.

Enforce password security best practices with ADSelfService Plus

  Download a free trial now!  Request demo

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  •  
  • Business Email *
  •  
  • Phone *
  •  
  • Problem Description *
  •  
  • Country
  •  
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.
Highlights of ADSelfService Plus

Password self-service

Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.

One identity with single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.

Password and account expiry notification

Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.

Password synchronization

Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.

Password policy enforcer

Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.

Directory self-update and corporate directory search

Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
 
Back to Top