Fine grained password policy or domain password policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2298226%22%20slang%3D%22en-US%22%3EFine%20grained%20password%20policy%20or%20domain%20password%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2298226%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20to%20all%2C%3CBR%20%2F%3E%3CBR%20%2F%3Ewe%20have%20setup%20a%20fine%20grained%20policy%20for%20a%20while%20now%20but%20we%20have%20always%20had%20issues%20with%20users%20trying%20to%20change%20their%20password%20and%20getting%20the%20%22The%20password%20you%20set%2C%20does%20not%20meet%20the%20password%20complexity%2Frequirements%22.%26nbsp%3B%20To%20bypass%20that%2C%20we%20remove%20them%20to%20the%20fine%20grained%20policy%20group%20temporarly%20and%20have%20them%20set%20up%20their%20password.%3CBR%20%2F%3EAlso%2C%20we%20are%20synced%20with%20AADConnect%20to%20Office%20365%20and%20we%20will%20be%20activating%20soon%20that%20password%20policy%20also.%3CBR%20%2F%3EMy%20question%20is%2C%20should%20we%20remove%20the%20password%20settings%20in%20the%20default%20password%20policy%3F%26nbsp%3B%20Or%20how%20do%20I%20go%20about%20to%20have%20them%20both%20work%20together.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2298226%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2298432%22%20slang%3D%22en-US%22%3ERe%3A%20Fine%20grained%20password%20policy%20or%20domain%20password%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2298432%22%20slang%3D%22en-US%22%3EBefore%20Windows%20Server%202008%2C%20passwords%20were%20only%20managed%20via%20the%20Default%20Domain%20Policy%20GPO.%20From%20Windows%20Server%202008%2C%20Microsoft%20introduces%20Password%20Settings%20Object%20(PSO)%20.%20A%20Password%20Settings%20Object%20(PSO)%20is%20an%20Active%20Directory%20object%20that%20enables%20to%20apply%20Fine-Grained%20password%20policy%20linked%20to%20users%20or%20groups%20object.%20However%20in%20Windows%20Server%202008%2C%20PSO%20could%20only%20be%20created%20with%20PowerShell%20command.%20This%20object%20contains%20all%20password%20settings%20that%20you%20can%20find%20in%20the%20Default%20Domain%20Policy%20GPO%20(password%20history%2C%20complexity%2C%20length%20etc.).%20A%20PSO%20can%20be%20applied%20to%20users%20or%20groups.%20When%20PSO%20is%20applied%20on%20some%20users%2C%20there%20are%20no%20longer%20using%20password%20policy%20from%20Default%20Policy%20Settings%20GPO.%20Instead%20they%20use%20the%20PSO%20settings.%20Because%20PSO%20can%20be%20applied%20to%20a%20group%2C%20a%20user%20can%20be%20linked%20to%20two%20PSO.%20However%20only%20one%20PSO%20can%20be%20applied%20to%20users.%20So%20in%20this%20case%20an%20RSoP%20(Resultant%20Set%20of%20Policy)%20must%20be%20calculated%20to%20apply%20one%20PSO.%20The%20RSoP%20calculation%20is%20based%20on%20a%20PSO%20parameter%20called%20Precedence%20which%20is%20a%20number.%20The%20PSO%20with%20the%20lowest%20number%20win%20and%20is%20applied.%20So%20the%20lowest%20Precedence%20number%20is%20always%20applied.%3C%2FLINGO-BODY%3E
New Contributor

Hi to all,

we have setup a fine grained policy for a while now but we have always had issues with users trying to change their password and getting the "The password you set, does not meet the password complexity/requirements".  To bypass that, we remove them to the fine grained policy group temporarly and have them set up their password.
Also, we are synced with AADConnect to Office 365 and we will be activating soon that password policy also.
My question is, should we remove the password settings in the default password policy?  Or how do I go about to have them both work together. 

1 Reply
Before Windows Server 2008, passwords were only managed via the Default Domain Policy GPO. From Windows Server 2008, Microsoft introduces Password Settings Object (PSO) . A Password Settings Object (PSO) is an Active Directory object that enables to apply Fine-Grained password policy linked to users or groups object. However in Windows Server 2008, PSO could only be created with PowerShell command. This object contains all password settings that you can find in the Default Domain Policy GPO (password history, complexity, length etc.). A PSO can be applied to users or groups. When PSO is applied on some users, there are no longer using password policy from Default Policy Settings GPO. Instead they use the PSO settings. Because PSO can be applied to a group, a user can be linked to two PSO. However only one PSO can be applied to users. So in this case an RSoP (Resultant Set of Policy) must be calculated to apply one PSO. The RSoP calculation is based on a PSO parameter called Precedence which is a number. The PSO with the lowest number win and is applied. So the lowest Precedence number is always applied.