As you may have heard, Microsoft is finally providing the ability to have fine-grained password policies within a single AD domain. That means you can now have different password policies for different user groups within AD. This feature is described nicely in Jorge de Almeida’s excellent blog entry.
Well, now our friends at SpecOps have come out with a free GUI tool for managing these new "PSO" objects in AD. This tool looks really nice so check it out!
Its a good alternative to Joe Richards’ free command-line tool for managing PSO, called PSOMgr.
Despite the desperate need for doing this, the one thing that I don’t like about the new fine-grained password policy is that its a completely separate mechanism for managing password policy from the existing GPO-based method, which, by the way, is still in Server 2008. In the absence of Fine-grained password policies set in AD, the default is still whatever you’ve defined on your domain-linked GPO. This can get confusing since you will need two mechanisms for determining effective password policy across all users. I think Jorge’s advice in his blog is good–once you implement Fine-grained password policies, implement it for all users so that you essentially don’t need to care what Group Policy is doing with account policy anymore. That will simplify management of this stuff tremendously!
Tags:
Group Policy, Active Directory, Fine-grained Password Policy, SpecOps, Joeware
SEP
About the Author:
Darren Mar-Elia is CTO & Founder of SDM Software, Inc. Darren has over 25 years of IT and Software experience in the Microsoft technology area, including serving as a Director in Infrastructure at Charles Schwab, CTO of Windows Management Solutions at Quest Software, and Sr. Director of Product Engineering at DesktopStandard. He has been a Microsoft MVP in Group Policy technology for the last 6 years and has written and spoken on Active Directory, Group Policy and PowerShell topics frequently over the years. He maintains the popular Group Policy resource web site at www.gpoguy.com and has been a contributing editor for Windows IT Pro Magazine since 1997. He has written and contributed to twelve books on Windows. Darren also speaks frequently at conferences on Windows infrastructure topics.