1
00:00:00,940 --> 00:00:04,440
Password Policies and Protected Users.

2
00:00:04,440 --> 00:00:04,680
Now,

3
00:00:04,680 --> 00:00:10,350
the trend with passwords nowadays is to have your users change their

4
00:00:10,350 --> 00:00:14,520
passwords less frequently, but ensure that when they do change their

5
00:00:14,520 --> 00:00:18,540
password, they're choosing a sufficiently strong one.

6
00:00:18,540 --> 00:00:22,560
Traditionally in Active Directory, we configured password

7
00:00:22,560 --> 00:00:26,940
policy at the domain level using Group Policy.

8
00:00:26,940 --> 00:00:31,290
And this approach originated, as I mentioned a moment ago, before

9
00:00:31,290 --> 00:00:34,960
Active Directory when we had Windows NT domains.

10
00:00:34,960 --> 00:00:37,900
Now a problem emerged with Active Directory,

11
00:00:37,900 --> 00:00:44,140
which dates back to around 1999 or so with Windows 2000 server, is that

12
00:00:44,140 --> 00:00:47,790
for businesses that do have different groups of users who have

13
00:00:47,790 --> 00:00:51,670
different security requirements, this would sometimes force an

14
00:00:51,670 --> 00:00:56,260
organization to have a multi‑domain forest because you could only do

15
00:00:56,260 --> 00:00:59,240
password policies at the domain level.

16
00:00:59,240 --> 00:01:00,060
Now, honestly,

17
00:01:00,060 --> 00:01:04,280
nowadays in 2022, Microsoft recommends a single

18
00:01:04,280 --> 00:01:07,140
domain forest for a business anyway.

19
00:01:07,140 --> 00:01:07,380
I mean,

20
00:01:07,380 --> 00:01:09,790
look at it. When you're going to a multi‑domain

21
00:01:09,790 --> 00:01:13,040
forest or a multi‑domain tree forest,

22
00:01:13,040 --> 00:01:17,240
you're dramatically increasing the complexity of that environment.

23
00:01:17,240 --> 00:01:22,240
You really don't need to do this because you can scale to virtually

24
00:01:22,240 --> 00:01:26,140
unlimited number of accounts within a single domain.

25
00:01:26,140 --> 00:01:26,320
Now,

26
00:01:26,320 --> 00:01:30,650
let's compare the Group Policy domain password policy

27
00:01:30,650 --> 00:01:34,030
with fine‑grained password policy. Here,

28
00:01:34,030 --> 00:01:39,240
we have separate password policies that are attached to Active Directory groups.

29
00:01:39,240 --> 00:01:42,640
What if somebody belongs to more than one AD group,

30
00:01:42,640 --> 00:01:46,750
each of which has a fine‑grained policy? Well, as administrators,

31
00:01:46,750 --> 00:01:51,880
we can associate a precedence value that resolves conflicts and

32
00:01:51,880 --> 00:01:55,650
makes sure that the highest precedence policy will be the one

33
00:01:55,650 --> 00:01:57,180
that's effective for that user.

34
00:01:57,180 --> 00:01:59,470
So, I mean, it's not overly complex,

35
00:01:59,470 --> 00:02:03,090
but it's a nice solution to that domain limitation

36
00:02:03,090 --> 00:02:05,240
that we outlined a moment ago.

37
00:02:05,240 --> 00:02:09,070
We configure fine‑grained password policies in Windows server,

38
00:02:09,070 --> 00:02:16,000
either with Active Directory Administrative Center, or we can do so programmatically with Windows PowerShell.