As you may have heard, Microsoft is finally providing the ability to have fine-grained password policies within a single AD domain. That means you can now have different password policies for different user groups within AD. This feature is described nicely in Jorge de Almeida’s excellent blog entry.
Well, now our friends at SpecOps have come out with a free GUI tool for managing these new "PSO" objects in AD. This tool looks really nice so check it out!
Its a good alternative to Joe Richards’ free command-line tool for managing PSO, called PSOMgr.
Despite the desperate need for doing this, the one thing that I don’t like about the new fine-grained password policy is that its a completely separate mechanism for managing password policy from the existing GPO-based method, which, by the way, is still in Server 2008. In the absence of Fine-grained password policies set in AD, the default is still whatever you’ve defined on your domain-linked GPO. This can get confusing since you will need two mechanisms for determining effective password policy across all users. I think Jorge’s advice in his blog is good–once you implement Fine-grained password policies, implement it for all users so that you essentially don’t need to care what Group Policy is doing with account policy anymore. That will simplify management of this stuff tremendously!
Tags:
Group Policy, Active Directory, Fine-grained Password Policy, SpecOps, Joeware