frabus
asked on
Do any guides exist to implement "fine grained password policy" on Windows Server 2008?
My organization would like to implement Fine Grained Password Policy on its Domain Controllers. I recently ran the command New-ADFineGrainedPasswordP olicy in the Active Directory Powershell application. I received an error that I don't understand, and I can't find any explanation for it in the ADFineGrainedPasswordPolic y help. The error is
New-ADFineGrainedPasswordP olicy : The modification was not permitted for security reasons
At line:1 char:1
+ New-ADFineGrainedPasswordP olicy -Name "TestUsersOU_PSO" -Precedence 500 -Complex ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~
+ CategoryInfo : NotSpecified: (CN=TestUsersOU_...abacare s,DC=org:S tring) [New-ADFineGrainedPassword Policy], ADException
+ FullyQualifiedErrorId : The modification was not permitted for security reasons, Microsoft.ActiveDirectory. Management .Commands. NewADFineG rainedPass wordPolicy
This error makes me think that I need to check on prerequisites, but I don't know what they are or how to verify their status?
New-ADFineGrainedPasswordP
At line:1 char:1
+ New-ADFineGrainedPasswordP
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=TestUsersOU_...abacare
+ FullyQualifiedErrorId : The modification was not permitted for security reasons, Microsoft.ActiveDirectory.
This error makes me think that I need to check on prerequisites, but I don't know what they are or how to verify their status?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello,
Please post the command you are typing in PowerShell so I can test it further.
Please post the command you are typing in PowerShell so I can test it further.
Hi again!
I saw the errors again and observed that the "MaxPasswordAge" flag is "0", this is not acceptable from ADS and you should change it to something higher (the default age in ADS is 42 days). The best practice is 90 days but this is adjusted according to your environment.
I saw the errors again and observed that the "MaxPasswordAge" flag is "0", this is not acceptable from ADS and you should change it to something higher (the default age in ADS is 42 days). The best practice is 90 days but this is adjusted according to your environment.
Any progress with your issue yet?
Hi Frabus,
Thanks for accepting my answer, would you mind sharing some details about the resolution of your issue please?
With regards
Thanks for accepting my answer, would you mind sharing some details about the resolution of your issue please?
With regards
ASKER
New-ADFineGrainedPasswordP
At line:1 char:32
+ New-ADFineGrainedPasswordP
+ CategoryInfo : NotSpecified: (CN=TestUsersOU_...abacare
+ FullyQualifiedErrorId : The modification was not permitted for security reasons,Microsoft.ActiveDi
It just so happens that the 32 character is the - before Name. So I am suspicious that I need to do something prior to executing this command. Any suggestions?