I want tougher password rules for admins than for normal users.
By default a single Default Domain Policy governs passwords. Fine-Grained Password Policies (PSOs) let you apply stricter rules per group, for example longer passphrases for Domain Admins and service accounts.
Try this first
- 1Open Active Directory Administrative Center, browse to your domain, System, Password Settings Container.
- 2Create a new Password Settings object, set precedence (lower wins) and link it to a group such as Tier-0 Admins or Service Accounts.
- 3Pick sensible values: 14 to 16 character minimum for admins, drop complexity rules that push users toward Pa$$w0rd1, lockout threshold that stops brute force without flooding the helpdesk.
- 4Test with a sample account in the target group: open a fresh session, try a too-short password, and confirm with dsget user -effectivepso that the PSO actually wins.
- 5Document which group has which PSO, otherwise nobody remembers why one account follows different rules.
When to bring us in
Pair this with a ban on known leaked passwords. Microsoft Entra Password Protection can enforce that on-prem too, via a proxy and agent on your DCs.
See also
- One DC or two DCs for an SMB office?Two is almost always the right answer; one DC is a single point of failure for logon, DNS and GPOs.
- Should I split FSMO roles across two DCs?For a small domain all on one DC is fine; with two DCs splitting is tidier but not required.
- How do I know my AD replication is healthy?Replication errors creep in silently; they only surface when logins or GPOs misbehave.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.