Access Manager: Using Fine Grain Password Policies (FGPP) in version 1.3



As of Access Manager 1.3 Active Directory connectors are now able to detect and use Fine Grain Password Policies that you have configured within your domain.

FGPP can be created within the domain and assigned to specific users and groups allowing for users in different parts of the domain to use different password rules, for example you can have a stricter policy for your administrator users compared to the default policy that other employees use.


Download and Configuration

To configure FGPP see the articles below for the different Windows Server configurations.

Windows Server 2008

Windows Server 2012


In Access Manager you can view the password policy that a user obeys in the Identities page.


Select the User and in the details section below the user list you can see a new tab named Password Characteristics, selecting this will display the password policy that the user obeys, and where this is coming from.


In the case here the password policy is being detected from the domain default policy, if we look at a user that is in a group with a different policy however.


We can see that the policy is different, and that it is specific to this user.


In order for Access Manager to provide full FGPP functionality the Service Account in the directory configuration will require the permissions that allow the user to access FGPP, the simplest way to provide this is to ensure the Service Account user is a member of the Domain Admins group in Active Directory.


Password Policy Priority Order

When a user is using a Fine Grain Password Policy this will take precedence over the Domain Password Policy that is detected by the directory configuration. Any overrides that are made to the Default Policy will also not have an effect on the user, however if you override the policy the user has in the Identites page then that override will be applied to the user.

The general priority order that the users will see is as follows:

  1. Password Policy overriden on the Identities page - A password policy override specific to the user will always be followed.
  2. FGPP - If the user does not have an override specific to them then the next policy to follow is the highest prioity FGPP they belong to in the Active Directory.
  3. Domain Policy override from Directory page - On the Directorys page the detected domain policy can be overriden.
  4. Default Domain Policy from Active Directory - If none of the other type of policy are detected then the user will need to meet the requirements of the Default Domain Policy from the Active Directory.