Fine grained Password Policy on 2012R2 made easy with ADAC

by butsch 8. July 2015 22:17

ADAC = NOT Deutscher Pannendienst ;-)

Fine grained Password Policy in 2013 R2 Domain Active Directory, Error 4625 event

Sometimes you need accounts TO None expire or not getting Locked out. We all now it's stupid in security terms but if the software has a bug and locks the account you have to hurry. Search on ALL of the Domain Controller for event 4625. There you should see the client who does it. There also lockout/whoislocked scripts which does that. (Account locked)

The regular Domain password policy is here:

But we want a second one with different settings and only for a few users in a security group

New way with ADAC on 2012R2

Old way with ADSIEDT.MSC


Make a new ADS group: sg_gpo_password_policy_bsb_non_locked and make the accounts which should have special password policy member of that group "Only user accounts"


Go to PASSSWORD Settings Container


Choose "Directly applies to" and make sure you choose the correct Security Group you made for this.

Under cmd on DC do a:

Repadmin /syncall

Its finished and working





Comments are closed

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: