Fine-grained password policy (FGPP)

Active Directory comes bundled with a default password policy that defines configurable rules for user account password creation. The rules include minimum and maximum password age, length, complexity, history, and encryption settings. This traditional password policy, however, cannot be customized for a specific set of users, groups, or OUs because it is only applicable to the entire domain to which it is linked. To overcome this significant drawback, Active Directory offers the fine-grained password policy (FGPP) feature (in Windows Server 2008 and later versions) that allows password policies to be tailored to different users and groups within the domain.

The scope and functionality of an FGPP

• To use an FGPP, the domain must operate at a functional level of Windows Server 2008 and above.
• FGPPs work by creating multiple Password Settings Objects (PSOs) inside the domain. Password and account lockout policies can be customized in each PSO.
• Domain admins or users with delegated permissions can create and assign PSOs in the Active Directory Administrative Center or using PowerShell. For detailed steps, visit this webpage.
• FGPP PSOs are applicable only to user objects and global security groups.
• When an FGPP is applied to a set of users or global security groups in a domain, the default domain password policy is no longer applicable to those objects.
• FGPPs can be used in cases where user accounts accessing sensitive data or synchronized with multiple confidential data sources require stricter password and account lockout policies.

Drawbacks of FGPPs

• FGPPs do not do justice to the term "fine-grained" since they are not applicable to OUs.
• They are not deployed using Group Policy Objects and take effect for users only based on their group memberships.
• Applying and managing multiple FGPPs can be a challenging task due to the complications involved in keeping track of the assigned policies.
• Because of their limited password and account lockout settings, FGPPs cannot meet password compliance regulations such as the NIST password standards.
• FGPPs cannot prevent sophisticated, modern password attacks like dictionary and brute-force attacks.

How ADSelfService Plus fortifies passwords to secure identities

ADSelfService Plus offers the Password Policy Enforcer feature to help employees in your organization set NIST-compliant, sophisticated passwords that are almost impossible to crack. With ADSelfService Plus, you can enforce custom password policies that seamlessly integrate with the built-in Active Directory password policies, providing more granular control than the latter. These custom password policies provide numerous intricate password settings, including restrictions on custom dictionary words, palindromes, and character repetitions.

• Restrict characters: These password policy settings include mandating the number of special, numeric, and Unicode characters. You can also set the type of character with which the password must begin.

  

• Restrict repetition: These settings restrict the use of consecutive characters from usernames or previous passwords. Consecutive repetition of the same character can also be restricted.

  

• Restrict pattern: The settings under this tab restrict custom dictionary words, patterns, and palindromes that might be commonly used.

  

• Restrict length: These rules let you set both a minimum and maximum number of characters for the password.

  

Still wondering if your organization should try ADSelfService Plus? Here is why you should not hesitate:

ADSelfService Plus' Password Policy Enforcer gives you the following benefits:

• Helps users pick strong passwords
• Encourages passphrases
• Implements granular password policies
• Analyzes password strength
• Enforces policies universally
• Meets compliance regulations
• Enhances the user experience

Reinforce your business's cyberdefense with ADSelfService Plus, an integrated self-service password management, multi‑factor authentication, and single sign-on solution that helps your employees adopt best practices for passwords.