Fine grained policies and Password Policy Manager (PPM)

Windows 2008 AD DS (Active Directory Domain Services) allow administrators to set different password policies to different users or groups. In practice this could mean that administrator can set a password policy of e.g. minimum 5 characters 1 for a password that must be changed every 60 days for ordinary users wile a group of administrators must have a password with at least e.g. 14 characters that they need to change every 30 days.

To achieve this, administrator must create different Password Settings objects (PSO) and apply them directly to user objects or better to group. Any member of the group will now have password policy that PSO linked to the group defines.

My friend Miha Jakovac and I wrote (well Miha did most of the writing ;-) ) a free tool called Password Policy Manager or PPM that allows administrators to use GUI tools for creating and applying PSO to users or groups.

You can also use the tool to search for any existing PSOs, edit existing PSOs, delete existing PSOs and view applied PSOs to users or groups.

You can download and use PPM for free.

Let Miha or me know what you think about the tool ...

  1. I don’t recommend using password policy that allows users such short passwords

Following are some screenshots of the tool...

Creating new PSO

Applying PSO to user

Checking for any existing PSOs applied to the object

Result of the check will show PSO that users is a member of. Here you can also remove user (or group) from applied PSO


Hint 1: You can use keywords...
Hint 2: You could search for specific user or group and apply new PSO to it...

Result of the search

With return list of PSOs you can view details of the PSOs, edit them, delete them etc.

Viewing PSO details

You can view details of PSO such as password length, password history and other settings. You can also remove any user from PSO that might be linked to it. If you wish, you could export the settings to LDF formatted file.

Add comment