Define password complexity for individual users or groups

A traditional bane of school network administrators is trying to enforce standards for password complexity.

Staff have access to all manner of confidential information on pupils and their families, so should be using strong passwords, but the normal method of enforcing password complexity on a standard Windows network applies the same rules to every user on the domain. It’s all very well to insist that staff have passwords 6 characters long with a mixture of uppercase, lowercase, and numbers. Try that with your average five year-olds, and it will take the class half an hour to log on every lesson.

User education and good old-fashioned people management can play a big role here, but for whatever reason, there are always some people who can’t be bothered to follow school policy. The only way to get 100% compliance is with a technological solution – it’s just been a pain in the backside in the past.

That changed in Windows Server 2008, which brought with it a feature called Fine-Grained Password Policy. This allows you to define password policies that only apply to individual users (or groups of users). Unfortunately, even in Server 2008 R2, there is no simple UI to configure this – the only method using in-box tools is hideously complicated.

Enter Specops Password Policy Basic.

There are a few free third-party tools available for configuring fine-grained password policies – none of the ones I tested was perfect, but I liked Specops Password Policy Basic the best. You don’t need to install anything on your server, since the functionality is already built in, but your domain must be at least Windows 2008 functional level. You can use it on any computer that meets the basic install pre-reqs, so long as your user account has Domain Admin rights on the domain you want to configure. Download, install, and you’re away.

Overall, the Specops tool is very simple to use, and does the job well. I already mentioned it’s not perfect though; there are two gotchas:

  1. You have to define a password policy and save it before selecting which users/groups it applies to. If you try to select a user/group before you’ve saved the new policy, the tool will throw an exception.
  2. When I downloaded and installed the tool, it immediately insisted I didn’t have the latest version. I’m pretty sure this is a bug with the update checking, and it works fine otherwise.

The options you get for defining your policies are the exact same options you’ll find in Group Policy, only now you can assign them to users and groups:

An example policy in Specops Password Policy Basic

If you’re implementing password complexity rules for the first time, it’s important to remember that ticking the ‘Password must meet complexity requirements” box won’t automatically restrict users who currently have a weak password from logging on. All it will do is ensure that when they change their password, they can only change it to one that meets the rules. Of course, you can always combine this with a ‘Maximum password age’ rule, which will stop them from logging on once their password expires – and that password age check is applied retrospectively. That means you can catch the idiots who’ve been using 123456 as their password for the last five years, and force them to change to a proper password immediately.

Final note: Some other tools to do this can be found here if Specops isn’t to your liking.

About The Angry Technician

The Angry Technician is an experienced IT professional in the UK education sector. Normally found in various states of annoyance on his blog. All views are those of his imaginary pet dog, Howard.

One response to “Define password complexity for individual users or groups”

  1. ScottishTech says :

    Cool proggy..

    Password complexity has always been something of a bugbear in our Authority. It took an inordinate amount of convincing our IT dept that having mandatory complex passwords for all users (staff and students) which changed every month was not a good idea.

    Likewise neither was having password lockouts (eg 3 wrong password attempts sees your account locked for a period of time) since the pupils would soon catch onto this and spend all day deliberately getting friends/teacher passwords wrong.