Active Directory Administrative Center password last set
For the first 8 years of Active Directory, the only native way of having multiple password policies in your AD forest, was to have multiple domains. When Server 2008 arrived on the scene, Microsoft introduced the concept of fine-grained password policies (FGPP), which allowed different policies within the same domain. Show
Traditionally, the Default Domain Policy is where the standard password policy settings are configured. It is somewhat strangely done under the Computer Configuration area of that GPO, posing a problem when wanting to apply different password policies to different users. So, to move away from using Group Policy, the concept of a Password Settings Container in AD, and applying the FGPP’s by AD security group, rather than a GPO linked to an OU, was introduced. The original interface to configure FGPP was horrible. You had to use scary tools such as Adsiedit.msc, or helpful third party tools such as Specops Password Policy Basic. However, with the advent of Server 2012, a different configuration tool (written in PowerShell) was introduced – Active Directory Administrative Center (ADAC), which is what we are going to use to evaluate what FGPP can offer you. Accessing the Active Directory Administration Center to Adjust Fine-Grained Password PoliciesYou can find ADAC under the Windows Administrative Tools. If you have domain admin level privileges, you will see “system\Password Settings Container” underneath your domain name on the left. If you select that link you will see that you can choose New>Password Settings on the right. The following configuration interface will be launched. You have the same basic options in here, as you do in the Default Domain Policy:
You can find the Password Settings Container in Active Directory Users and Computers. If you have enabled Advanced Features, you will find it under the System container. If there is an object in here, you can view its properties and configured settings under the Attribute Editor tab. As you can see, it is not exactly “fine-grained” password policy. Complexity is either on or off. Interestingly, even Microsoft now regards the complexity settings as anti-security. Configuring Fine-Grained Password Policies Using PowershellIn Active Directory, you can manage fine-grained password policies (PSOs) using Powershell, though the Active Directory PowerShell module must be installed on our computer in order to do so. To create a new PSO, use New-ADFineGrainedPasswordPolicy cmdlet:
Next, assign a password policy to a user group using:
Change the PSO policy settings using:
List all FGPP policies in a domain:
Use the Get-ADUserResultantPasswordPolicy command to get the resulting password policy that applies to a specific user.
The name of the PSO that applies to the user is specified in the Name field. You can display the list of PSO policies assigned to an Active Directory group using the Get-ADGroup cmdlet:
To show the default password policy settings from the Default Domain Policy GPO, run the command:
While we still have to live with passwords there are more versatile, user friendly, and feature rich solutions available. Specops Password Policy allows you to follow the latest NIST and NCSC guidelines, and gives true fine-grained control over any password policy requirements that you may need to apply to your organization e.g. block weak passwords, enforce a passphrase, disallow incremental passwords or block consecutive identical characters. Mar 29, 2018 (Last updated on July 1, 2022) Tags: Active Directory, fine-grained password policy, password complexity, password policy Darren JamesDarren James is a Product Specialist and cyber security expert at Specops Software. He works as a lead IT engineer to help customers reduce costs, improve security and increase productivity. He holds Microsoft certifications within IT Service Management, O365, Enterprise Administrator, Server Administrator and Security. Darren has more than 25 years’ experience working in technical IT roles, centering around Active Directory, IT security, cloud, larger-scale migrations, integrations and identity and success management. How do I find out when a password was last in AD?Method 1.. Open Active Directory Users and Computers.. From View menu, click Advanced Features.. Select the Users group on the left pane.. At the right pane, right-click at the user you want to view the last password change and select Properties.. When was AD password last changed?You can check the Last Password Changed information for a user account in Active Directory. The information for last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.
How can I view my password history?To check your saved passwords, go to Password Checkup.. To view a password: Select an account Preview .. To delete a password: Select an account. Delete.. To export your passwords: Select Settings. Export passwords.. Can you see who changed a password in Active Directory?Open “Event Viewer” ➔ “Windows Logs” ➔ “Security” logs. Search for event ID 4724 in “Security” logs. This ID identifies a user account whose password is reset. You can scroll down to view the details of the user account whose password was reset.
|