Comments on: Creating Fine Grained Password Policies https://www.prajwaldesai.com/creating-fine-grained-password-policies/ SCCM | ConfigMgr | Intune | Windows 11 | Azure Wed, 12 May 2021 12:35:42 +0000 hourly 1 https://wordpress.org/?v=6.4.1 By: Petr Kindl https://www.prajwaldesai.com/creating-fine-grained-password-policies/#comment-24290 https://www.prajwaldesai.com/?p=9300#comment-24290 Thanks for the post, but how do you apply it for a group in a child domain?

]]> By: Craig B https://www.prajwaldesai.com/creating-fine-grained-password-policies/#comment-14011 https://www.prajwaldesai.com/?p=9300#comment-14011 In reply to sanjay sharma.

I did get it to work but only after I set this test account to require change password at next logon. At that point with a log off/on it did get my test policy and not the normal default domain policy. I am more interested in what users will experience so that is the focus of my testing.
I will do another test and simply let it sit for a few days to see if it ever expires on its own. But it’s pretty clear at least in my domain (2012r2) that setting a fine grain policy does not immediately disconnect users if they don’t meet the new requirements.

]]> By: sanjay sharma https://www.prajwaldesai.com/creating-fine-grained-password-policies/#comment-14009 https://www.prajwaldesai.com/?p=9300#comment-14009 In reply to Craig B.

I think here you need to use PSO (Fine grain password setting) going through ADSIedit console.

]]> By: Craig B https://www.prajwaldesai.com/creating-fine-grained-password-policies/#comment-14005 https://www.prajwaldesai.com/?p=9300#comment-14005 Do you have to remove the policy under the Default domain policy? I cannot get this to work, I made Precedence 1 and have a min password of 10 characters. I pointed this policy to a test user with a password of 8 characters. Signing out and back in and restarting still allowed login with the 8 character pw. I have confirmed the test policy shows up in the account in Attribute editor.
Or does this only take effect the next time a user tries to change their password?

]]> By: Jed https://www.prajwaldesai.com/creating-fine-grained-password-policies/#comment-12968 https://www.prajwaldesai.com/?p=9300#comment-12968 In reply to Mike.

I know this is a bit late, but I just had this issue. If the current password is shorter than the new policy stipulates it will force the user to change their password the next time they login and will disable things like access to network shares. The policy makes too short passwords immediately expire.

]]> By: Sir Timbit https://www.prajwaldesai.com/creating-fine-grained-password-policies/#comment-12317 https://www.prajwaldesai.com/?p=9300#comment-12317 Using AD Admin Centre, what’s the correct value if I want to set the fine grained password policy so that passwords never expire? Is that 0 here? I’m finding conflicting answers for that. Thanks.

]]> By: Mike https://www.prajwaldesai.com/creating-fine-grained-password-policies/#comment-12313 https://www.prajwaldesai.com/?p=9300#comment-12313 If I add a password policy, where there was none, will it affect users “immediately” or only the next time they try to change their password. Does it depend on which policy is applied? For example, a user has a 6 character password and we implement a minimum of 8 characters. We would like it not to affect users right away, but rather tell users to change their passwords and at that time follow the new password policy. Thanks

]]>