< All Topics
Print

Create Fine Grained Password Policy Using ADAC

PostedOctober 2, 2025
UpdatedOctober 2, 2025
Byadmin

Step 1: Install Remote Server Administrator Tools (RSAT)

You may already have this installed, if not you will need it. It will be needed if you use the ADAC console or PowerShell. 

If you need install steps then check out my guide > Install RSAT on Windows 10.

Step 2: Open Active Directory Administrative Center

active directory administrative center

Step 3: In ADAC, click on your domain.

click your domain in adac

Step 4. Click on the System folder.

Click on the System folder

Step 5. Click the “Password Settings Container”. Then in the upper right corner click on “new” and “password settings”.

click password settings container

You should now be at the Create Password Settings screen.

password policy settings

Step 6: Now you can configure the password policy settings.

In this example, I want to set a stronger password for my server administrators. 

I named my password policy “Server-Admin-PW-Policy” and the precedence of 1. 

Then I changed the minimum password length to 15 and set the account lockout policy.

enter password policy settings

Step 6: Next, you need to apply the policy to a user or group. In the Directory Applies To section click “Add”.

directly applies to

Select the users or groups you want the password policy to apply to. In this example, I’m assigning this to a group called “Server-Admins” 

add users or groups to the policy

Click OK

Click OK on the Create Password Settings screen. 

fine grain password policy applies to

Done. You have completed creating a fine grained password policy. 

Create Fine Grained Password Policy Using PowerShell

The cmdlet New-ADFineGrainedPasswordPolicy is used to create new Active Directory fine grained password policies. 

In this example, I’m just changing the minimum password length, gave the policy a name and assigned it precedence 1. 

New-ADFineGrainedPasswordPolicy -name "Server-Admins-Policy" -Precedence 1 -MinPasswordLength 15

Now the policy is created it needs to be assigned to users or a group. 

Add-ADFineGrainedPasswordPolicySubject -Identity "Server-Admins-Policy" -Subjects "server-admins"

-identity is the name of the policy and -subject is the name of the group or user you want the policy assigned to. 

Resources

New-ADFineGrainedPasswordPolicy – Complete command syntax

Add-ADFineGrainedPasswordPolicySubject – Complete command syntax

How to View Fine Grained Password Policies

It is pretty strange that you can create the password policy in the console but it provides no way to view the policies. (If there is a way please post it in the comments below).

No problem we can use PowerShell to view all domain password policies.

Check Fine Grained Password Policies

Get-ADFineGrainedPasswordPolicy -filter *

The above command will display all domain fine grained password policies.

Get the Resultant Password Policy for a User

Get-ADUserResultantPasswordPolicy -Identity UserName

Use this command if you have multiple fine grained passwords defined. This will show you which one is being applied to the user. 

Get the Default Domain Password Policy

Get-ADDefaultDomainPasswordPolicy

Another option to view the fine grained password policies is by using the Active Directory Reporting Tool.

Click on Reports -> Security -> Fine grained password policy

Click run and you will see a list of all domain fine grained password policies.

You can see above the tool is showing I have 3 fine grained password policies. The Active Directory Reporting tool includes over 200 pre built Active Directory Reports.