Share via

How to Apply an AD DS Fine-Grained Password Policy on Users Under an Organizational Unit

  • Article

By default, you cannot apply a Fine-Grained password policy directly on an Organizational Unit. This is because it can be applied only on users or global security groups.

This Wiki article shows how to apply a Fine-Grained password policy to users in an Organizational Unit using a shadow group.
All you need are:

  • A global security group
  • A script that will update the security group membership to include only users within an Organizational Unit
  • A Fine-Grained Password Policy to apply

Once the global security group was created, you can use the following PowerShell script to update its group membership with users within an Organizational Unit:

Import-module activedirectory

$GroupName = "GroupName"

$OU = "OU=something,DC=CONTOSO,DC=COM"

Set-ADGroup -Identity $GroupName -Clear member

foreach ($user in (Get-ADUser -SearchBase $OU -Filter *)) {Add-ADGroupMember -Identity $GroupName -Member $user}

You need to update the following variable values before running the script:

  • $GroupName: It should contain the sAMAccountName of your global security group
  • $OU: It should contain the Distinguished Name of the Organizational Unit containing the users that should be members of your global security group

The script can be scheduled to be running periodically (It can be on daily basis as an example) and will do the following actions each time it will run:

  • It will remove all the members of your group
  • It will add the users under the target Organization Unit as members of the group

Running this script periodically will guarantee that only users under the target Organizational Unit are and will still be members of the global security group. Users that are moved out of the Organizational Unit will no longer be members of the global security group while users that are moved into the Organizational Unit will be automatically included as members.

After populating the global security group membership, you can apply your Fine-Grained password policy on it and you would be able to apply your password policy on users within this Organizational Unit.

AD DS: Fine-Grained Password Policies: http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx