Understanding how fine grained password policies are processed

by Mitch Tulloch [Published on 12 June 2013 / Last Updated on 12 June 2013]

A tip on how fine grained password policies are processed.

Consider a scenario where a user named Karen Berg in the corp.contoso.com domain is a member of two groups: the Marketing group and the Sales group. Fine-grained password policies have been configured as follows:

  • A fine-grained password policy having a precedence value of 1 has been created and assigned to the Marketing group.
  • A fine-grained password policy having a precedence value of 2 has been created and assigned to the Sales group.

Because Karen belongs to both groups, both policies apply to her, but the one with the lowest precedence value (the policy assigned to the Marketing group) is the one that takes effect.

Note that if two fine-grained password policies have the same preference value and both policies apply to the same user, the policy with the smallest globally unique identifier (GUID) wins.

This tip is excerpted from my latest book Training Guide: Installing and Configuring Windows Server 2012 from Microsoft Press.

Mitch Tulloch is a nine-time recipient of the Microsoft Most Valuable Professional (MVP) award and a widely recognized expert on Windows administration, deployment and virtualization.  For more information see http://www.mtit.com.

See Also


The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Featured Links