Fine-Grained Password Policy Best Practices - Lepide

Lepide AI is here! Check out what's new in version 26.1 of Lepide Data Security Platform Released 26 Feb 2026 ✕ Toggle navigation ✕

• Download Free Trial

• Solutions
  • • • By platform
      • Active Directory
      • Windows File Server
      • Microsoft 365
      • Microsoft 365 Copilot
      • Entra ID
      • Exchange
      • SharePoint
      • SQL Server
      • Nutanix
      • Nasuni
      • Dell EMC
      • See all platforms →
      • By use case
      • Auditing and Reporting
      • Risk Assessment
      • Generative AI Security
      • Data Protection
      • Data Access Governance
      • Compliance Management
      • Cloud Data Security
      • IT Operations
      • See all Use Cases →
      • By industries
      • Educational
      • Finance
      • Healthcare
      • Government
      • Other
• Platform
  • • • The Lepide Data Security Platform Award-winning platform to audit and protect files and folders and the systems that govern access to them.
      • Platform overview →
      • Capabilities
      • Lepide AI AI-powered security analytics
      • Lepide Auditor Auditing and reporting
      • Lepide Trust Permissions analysis
      • Lepide Detect Real time alerts and response
      • Lepide Identify Data classification
      • Lepide Protect Permissions management
      • Evaluate Lepide
      • Case studies
      • Datasheets
      • Product documentation
      • Start free trial
      • Launch in-browser demo
      • Request a demo
      • Request a quote
      • ROI calculator
• Free tools
  • • • Account Lockout ExaminerIdentify and troubleshoot account lockout issues in real time.
      • Inactive Users ReportList the currently inactive users in your Active Directory with audit information.
      • Admin Users ReportList the admin users in your Active Directory and see how they are getting access.
      • User Status ReportGet a breakdown of how many AD users you have and their status.
      • Change ReporterMonitor and report on changes to Active Directory, Group Policy and Exchange Server.
      • AD Risk AssessmentDetailed self-assessment of your current risk profile with expert recommendations.
      • Open Shares ReportList all open shares on your file servers to see if sensitive data is open to all users.
• Resources
  • • • Webinars
      • Blog
      • Whitepapers
      • How-to Guides
      • Policy Templates
      • eBooks
      • CISO Talks Podcast
      • Cyber Learning
• Why Lepide
  • About us
  • Meet the team
  • Customer stories
  • News
  • ROI calculator

• Blog
• General Cybersecurity
• How to Create Fine-Grained Password Policy & Best Practices

In This Article What are Active Directory Account Policies What is Fine-Grained Password Policy How to Configure Fine-Grained Password Policy Limitations of Fine-Grained Password Policy Fine-Grained Password Policy Implementation Best Practices Lack of Visibility Over Password Resets & Lockouts How to Create Fine-Grained Password Policy & Best Practices Philip Robinson | Updated On - January 17, 2025

Password and account lockout policies in Active Directory needn’t be all or nothing. In this article, I’ll explain how to set password and account lockout policies for specific groups of users and some best practices you should follow in the process.

What are Active Directory Account Policies

Active Directory (AD) domains are configured by default with password and account lockout policies that apply to all user accounts in the domain. Each domain has a Group Policy Object (GPO) called Default Domain Policy where you can set passwords, account lockout, and Kerberos policies under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies. Account policies are the only settings that you should modify in the Default Domain Policy GPO.

Figure1

Password policies include the ability to enforce password history, set a minimum and maximum password age, password length, and more. Account lockout policies define the account lockout duration and the account lockout threshold, i.e. how many failed login attempts are allowed before accounts are locked out.

What is Fine-Grained Password Policy

AD supports one set of password and account lockout policies for a domain. Before Windows Server 2008, if you wanted to apply different password and account lockout policies to users, you had to set up a separate domain for them. For example, it’s common that organizations to prefer to apply stricter password policies to accounts that have privileged access to AD because they are more likely to be targeted due to the high level of access they have. But strict password and account lockout policies that might be applied to privileged domain accounts are impractical for standard employees because they create too much inconvenience.

Beginning in Windows Server 2008, you can override the default password and account lockout policies in a domain using Fine-Grained Password Policies (FGPP). To use Fine-Grained Password Policies, your domain must be at the Windows Server 2008 domain-functional level or higher. Don’t forget that raising the domain functional level is a one-way process.

How to Configure Fine-Grained Password Policy

Unlike the default password and account lockout domain policies, Fine-Grained Password Policies are set in password settings objects (PSO) in AD and not using Group Policy. There are two main ways you can configure PSOs:

1. Using the Active Directory Administrative Center (ADAC)
2. Using PowerShell

You must be a domain admin or have permissions delegated to you before you can create or change PSOs.

1. Using the Active Directory Administrative Center

• • Install Remote Server Administrator Tools (RSAT). This will be needed if you use the ADAC console or PowerShell.
  • Open the Active Directory Administrative Center

• Create a Policy

Follow these steps to create a new policy.

1. 1. In ADAC click on your domain

1. 1. Click on the System folder

1. 1. Double click the System Folder

1. 1. Click on the password settings container then from the right-hand side of the screen, choose New, Password Settings
   2. You should now be at the Create Password Settings screen
      • • Here you can configure the policy settings and apply it to a user or group. The same password policy settings are available as in the default domain policy.
        • In this example, we could set a stronger password for the administrators.
        • Here the password policy name is ‘Admin Password Policy’ and the precedence set as 1.
        • The minimum password length has been set to 15 and the account lockout policy options have been set.

      

   3. Click on Add to apply it to a user or group. The Select Users or Groups dialog box is displayed

1. 1. In this example, it has been applied to the Admin Group
   2. Click OK. The new policy is shown at the bottom of the dialog box.

1. Click OK

2. Using PowerShell

Use the New-ADFineGrainedPasswordPolicy PowerShell cmdlet to create a new PSO.

New-ADFineGrainedPasswordPolicy -Name administrators1 -DisplayName lepide_admins -Precedence 100 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -PasswordHistoryCount 10 -MinPasswordLength 8 -MinPasswordAge 3.00:00:00 -MaxPasswordAge 30.00:00:00 -LockoutThreshold 3 -LockoutObservationWindow 0.00:25:00 -LockoutDuration 0.00:30:00

And then apply the new PSO using Add-ADFineGrainedPasswordPolicySubject:

Add-ADFineGrainedPasswordPolicySubject -Identity lepide_admins -Subjects ‘Secure Admins’

Limitations of Fine-Grained Password Policy

The steps described above explain how to create a FGPP in Active Directory, but it’s important to also understand the limitations which include:

• ­You cannot create custom dictionary lists which then restrict options to block certain words and phrases applicable to your organization.
• ­FGPP lacks the ability to find and remove compromised passwords already in use, or to block passwords being used in current attacks taking place in real time.
• ­FGPPs are not applicable to Organizational Units.
• ­Managing multiple FGPPs can be a challenging task due to the complications involved in keeping track of the assigned policies.
• ­The limited password and account lockout settings mean that FGPPs cannot meet password compliance regulations such as the NIST password standards.
• ­FGPPs cannot prevent sophisticated, modern password attacks like dictionary and brute-force attacks.

Fine-Grained Password Policy Implementation Best Practices

When implementing Fine-Grained Password Policies in your organization, there are several things to think about before creating and applying Fine-Grained Password Policies.

1. Each PSO must have a precedence index number. PSOs with a higher precedence index, like 1, take priority over those with a lower precedence index, like 10.
2. PSOs can be applied to users and groups. When possible, apply PSOs to groups.
3. Understand PSO precedence. While PSOs can be applied to multiple users and groups, only one PSO ever applies to a user account. The PSO with the highest precedence index, i.e. closest to 1, will apply. The msDS-ResultantPSO attribute in AD exposes the resultant PSO for a user object if you want to check it. PSOs linked to user accounts always take precedence over those linked to groups.
4. Make sure that all PSOs have a unique precedence index number. If two PSOs have the same precedence index number, the PSO with the lowest GUID is applied.
5. If you want to apply a PSO to all the users in an Organizational Unit (OU), you will need to create a group that contains all the members of the OU and applies the PSO to the group. If the users in the OU change, you must update the group membership.
6. Use password and account lockout policy settings in the Default Domain Policy GPO for most users and create PSOs for smaller specific groups of users.
7. Give PSOs meaningful names.

Lack of Visibility Over Password Resets & Lockouts

If you’re struggling to get visibility over password resets and the cause of account lockouts, it might be indicative of a wider problem with Active Directory visibility. You may need to consider deploying an Active Directory auditing solution like Lepide Active Directory Auditor to ensure you are continuously and proactively tracking changes to your AD. This will help you get to grips with whether your Active Directory is secure and compliant.

• Active Directory
• Password Security
Philip Robinson

Phil joined Lepide in 2016 after spending most of his career in B2B marketing roles for global organizations. Over the years, Phil has strived to create a brand that is consistent, fun and in keeping with what it’s like to do business with Lepide. Phil leads a large team of marketing professionals that share a common goal; to make Lepide a dominant force in the industry.

Say goodbye to complexity, and make effective unstructured data security a reality. Launch in-browser demo Popular Blog Posts
• Group Policy Examples and Settings for Effective Administration Active Directory
• Network Devices: Common Types and Their Functions General Cybersecurity
• 15 Most Common Types of Cyber Attack and How to Prevent Them General Cybersecurity