Understanding how fine grained password policies are processed

by Mitch Tulloch [Published on 12 June 2013 / Last Updated on 12 June 2013]

A tip on how fine grained password policies are processed.

Consider a scenario where a user named Karen Berg in the corp.contoso.com domain is a member of two groups: the Marketing group and the Sales group. Fine-grained password policies have been configured as follows:

  • A fine-grained password policy having a precedence value of 1 has been created and assigned to the Marketing group.
  • A fine-grained password policy having a precedence value of 2 has been created and assigned to the Sales group.

Because Karen belongs to both groups, both policies apply to her, but the one with the lowest precedence value (the policy assigned to the Marketing group) is the one that takes effect.

Note that if two fine-grained password policies have the same preference value and both policies apply to the same user, the policy with the smallest globally unique identifier (GUID) wins.

This tip is excerpted from my latest book Training Guide: Installing and Configuring Windows Server 2012 from Microsoft Press.

Mitch Tulloch is a nine-time recipient of the Microsoft Most Valuable Professional (MVP) award and a widely recognized expert on Windows administration, deployment and virtualization.  For more information see http://www.mtit.com.

Featured Links