Quick Start Guide for Fine Grain Password Policy Tool

By Christoffer Andersson

Quick Start Guide for Fine Grain Password Policy Tool 1.0

 

Authors:

Christoffer Andersson.
Microsoft MVP – Directory Services

 

Thanks to the following people for helping me develop the Fine Grain Password Policy Tool

Thanks to the entire TrueSec Team for all support during the development.

 

 

System Requirements

Fine Grain Password Policy Tool are “Supported” on the following platforms

  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Vista
  • Windows 7 Beta and later
  • Windows Server 2003 Service Pack 1
  • Windows XP Service Pack 2

Prerequisites

 

Before installing this build, you must have:

Windows Server 2008 and Windows Vista or later

 

·Windows Server 2008 Active Directory Domain

 

·Windows PowerShell installed (for command-line and scripting support)

 

Windows Server 2003 and Windows XP

 

·Microsoft .NET Framework 2.0.

 

·Microsoft Management Console 3.0

 

·Windows Server 2008 Active Directory Domain.

 

·Windows PowerShell installed (for command-line and scripting support)

 

 

Note: The Fine Grain Password Policy Tool is only supported from a domain joined computer.

 


Setup

To complete the setup, you need the following:

  • The Fine Grain Password Policy installation media.
  • Click the setup.exe and follow the instructions
  • Click Finish to complete the installation.

 

1.1 Fine Grain Password Policy Tool – Usage

 

Once you have installed the Fine Grain Password Policy Tool you can start using either the MMC Snapin or PowerShell Cmd’let. (If you have PowerShell installed)

Note: Windows PowerShell can be installed or added at any time.

 

Note: By default only Domain Admins and Enterprise Admins have rights to create/modify Password Policy Objects. Ensure you are logged in as one of the above or have delegated necessary permission.

 

1.1.1 Using the Fine Grain Password Policy MMC Snap-in.

 

1. Start the Microsoft Management Console 3.0

 

2. Click File and Add/Remove Snap-in or Press Ctrl + M

 

3. Select the Fine Grain Password Policy Tool snap-in and click Add.

 

4. Click OK to add the Fine Grained Password Policy Tool snap-in to the console.

 

1.1.2 Create a New Password Policy using the MMC Snap-in.

 

1. Expand the Fine Grain Password Policy Tool node.

 

2. Click the New Policy Task in the Actions Pane.

 

3. Follow the instructions in the “New Password Policy” Wizard. Give the Password Policy a name and specify the other options after your needs.

 

4. Click Finish to add the newly created policy. The policy should now appear in the list view.

 

1.1.4 Modify an Existing Password Policy using the MMC Snap-in.

 

1. Expand the Fine Grain Password Policy Tool node.

 

2. Right click the policy you crated in (1.1.2). Click Properties, Click the Applies To tab and click the Add button. The Active Directory Object Picker will now appear.

                  Note: The Object Picker is default set to search for both Users and Groups.

 

3. Search for one or more global security group(s) or user(s) that you want to link to the Password Policy. Click the Apply button to save the changes.

 

4. Click OK to close the properties window.

 

1.1.5 Find the Effective Password Policy for one or more users using the MMC Snap-in.

 

1.Expand the Fine Grained Password Polices node.

 

2.Click the Resultant Policy Wizard Task in the Actions Pane.

 

3. Click the Add button. The Active Directory Object Picker will now appear.

                  Note: The Object Picker is default set to search for both Users and Groups.

 

4.Search for one or more user(s) that you want to view the Effective Password Policy for. Click the Ok button.

 

5.You will now se the Effective Password Policies for the select user(s).

 


1.1.6
Configure the PaswordPolicy PowerShell Cmd’Let.

 

1. Start Windows PowerShell.
2.
Type the following command: Add-PSSnapin PasswordPolicy and press enter.

 

Note: The PasswordPolicy Cmd’let should now been sucessfully loaded, and the PasswordPolicy commands should be ready for use.

 

1.1.7 List Password Polices using the PowerShell Cmd’Let.

 


1. Type the following command: Get-PasswordPolicy and press enter.

                 Note: To get a specific password policy type Get-PasswordPolicy <name>

 

1.1.8 Modify a Password Policy using the PowerShell Cmd’Let..

 

1. Type the following command: Modify-PasswordPolicy –name “ <name of the policy in (1.1.2)>” –PasswordComplexityEnabled $True –AppliesToAdd DomainUserand press enter.

                  Note: You have now modified the existing password policy and changed the Password Complexity Setting to Enabled and linked a user to the policy.

  1. Benny says:

    Hi,
    I have a mix of 2003 and 2012 domain controllers in my domain. Do I have to remove the 2003 servers before using upgrading the functional level to use PSO or can I upgrade the domain functional level with the 2003 servers in place?

    thanks
    Benny