One of the most common security requirements I’ve seen in enterprise organizations is setting unique password policies for different subsets of user accounts on the network. Some user accounts need to have very restrictive password policies – such as powerful IT Admin user accounts and user accounts with access to sensitive information. Other accounts often don’t have these same requirements. If we try to force very strict passwords on all user accounts to support the needs of just a few, most users will probably resort to writing down their passwords – which defeats our security practices all-together!

In the old days ( prior to Windows Server 2008 ), we resorted to complex AD configurations with multiple domains because of the “one password policy per domain” restriction. In Windows Server 2008, we provided functionality for creating multiple password policies within a single domain via Password Settings objects ( Yay! ), but it was only accessible via ADSIEdit ( Yuck! ) and, as a result, many IT Admins weren’t aware of it and didn’t leverage it.

NOTE: To configure Password Settings objects, your AD Domain must be at the Windows Server 2008 Domain Functional Level or later.

In the new ADAC in Windows Server 2012, we can now define and assign multiple password policies within a single AD domain entirely from within the GUI-based ADAC console! Here’s how …

In the ADAC console, navigate to the System –> Password Settings Container and select the New –> Password Settings action to create a new Password Settings object.

Complete your unique AD password policy settings in the Password Settings dialog box as appropriate. Click the Add button to add one or more AD Groups or Users to which this policy should be assigned.

Click the OK button to save your new password policy. Test your new policy by trying to modify the password for one of the assigned users to confirm that your new password policy is effective.