Link to home
Start Free TrialLog in
Avatar of frabus
frabus

asked on

Do any guides exist to implement "fine grained password policy" on Windows Server 2008?

My organization would like to implement Fine Grained Password Policy on its Domain Controllers.  I recently ran the command  New-ADFineGrainedPasswordPolicy in the Active Directory Powershell application. I received an error that I don't understand, and I can't find any explanation for it in the ADFineGrainedPasswordPolicy help.  The error is
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:1
+ New-ADFineGrainedPasswordPolicy -Name "TestUsersOU_PSO" -Precedence 500 -Complex ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons, Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

This error makes me think that I need to check on prerequisites, but I don't know what they are or how to verify their status?
ASKER CERTIFIED SOLUTION
Avatar of George Simos
George Simos
Flag of Greece image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of frabus
frabus

ASKER

Hi George,  Thanks for the suggestion.  The reported error was received when executing the command from a Windows 7 client machine equipped with the Administrative Tools pack.  I received the error even when I logged on to AD PowerShell as an administrator.  But your answer made me think that I should try opening the AD PowerShell as an administrator while logged on to the Doman Server.  I did that, and I got a different error to the same command:
New-ADFineGrainedPasswordPolicy : The modification was not permitted for security reasons
At line:1 char:32
+ New-ADFineGrainedPasswordPolicy <<<<  -Name "TestUsersOU_PSO" -Precedence 500 -ComplexityEnabled $true -Description "The Password Policy for members of Test UsersOU_Users" -DisplayName "TestUsersOU_PSO" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 10 -MaxPasswordAge "0.00:00:00" -MinPasswordAge "1.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount24 -ReversibleEncryptionEnabled $false
    + CategoryInfo          : NotSpecified: (CN=TestUsersOU_...abacares,DC=org:String) [New-ADFineGrainedPasswordPolicy], ADException
    + FullyQualifiedErrorId : The modification was not permitted for security reasons,Microsoft.ActiveDirectory.Management.Commands.NewADFineGrainedPasswordPolicy

It just so happens that the 32 character is the - before Name.  So I am suspicious that I need to do something prior to executing this command.  Any suggestions?
Avatar of George Simos
George Simos
Flag of Greece image
Hello,

Please post the command you are typing in PowerShell so I can test it further.
Avatar of George Simos
George Simos
Flag of Greece image
Hi again!

I saw the errors again and observed that the "MaxPasswordAge" flag is "0", this is not acceptable from ADS and you should change it to something higher (the default age in ADS is 42 days). The best practice is 90 days but this is adjusted according to your environment.
Avatar of George Simos
George Simos
Flag of Greece image
Any progress with your issue yet?
Avatar of George Simos
George Simos
Flag of Greece image
Hi Frabus,

Thanks for accepting my answer, would you mind sharing some details about the resolution of your issue please?

With regards