With fine-grained password policies (FGPP), IT Administrators can create multiple different password policies within a single domain. The two enhancements that fine-grained password policies can provide are different password policies and account lockout policies for different sets of users in one Active Directory. For example, a more strict password policy can be created for privileged accounts, a less strict password policy can be created for non-privileged accounts, and a final policy for service accounts with passwords that do not expire. Fine-grained policies can be applied at the global security group and user object level. Fine-grained policies are unable to be applied to the organizational unit directly. By default, only Domain Administrators can create fine-grained password policies. However, there is an option to delegate this task to others. A minimum operating system of Windows Server 2008 is required to use fine-grained password policies. In Windows Server 2012, an easier management system with the graphical user interface was created for fine-grained password policies. Lastly, fine-grained password policies do not interfere with a custom password filter.
Similar to Windows fine-grained password policies are the nFront Password Filter. The nFront Password Filter takes fine-grained password policies one step further. What separates the nFront Password Filter and fine-grained password policies is the ability to have more customizable options within each password policy. The nFront Password Filter can enforce a longer password minimum length, stop dictionary passwords, require passphrases, stop repetitive sequences, and many more features! This can all be completed while having a better password change experience with the nFront Client. Notoriously, IT Administrators are wanting to enforce longer length passwords; however, they are unable to complete this task with the settings included with Windows password complexity. A supplemental software tool, like the nFront Password Filter, can enforce the longer password length that they are in desperate need of.
There are two different versions of the nFront Password Filter – Single Policy Edition (SPE) and Multiple Policy Edition (MPE). The SPE version gives you a single, granular password policy for all domain users. The MPE version gives you up to ten different password policies with each policy linked to one or more security groups or OUs. The MPE version closely mimics the concept of fine-grained password policies with the ability to have multiple password policies targeting different users in the organization.
Overall, fine-grained password policies are a great technique to segment the organization with different password policies based on certain parameters. However, this alone is not enough for a secure password policy within an organization. Going one step further with a Windows password filter, like the nFront Password Filter, will be what you need for a secure password policy.