Security Settings and Password Policy
Under Computer Configuration > Policies > Windows Settings > Security Settings, administrators configure the domain's Account Policies (Password Policy, Account Lockout Policy, Kerberos Policy) and Local Policies (Audit Policy, User Rights Assignment, Security Options). A critical rule is that Password Policy and Account Lockout Policy only take effect domain-wide when set in a GPO linked at the domain root; setting them in an OU-linked GPO only affects local accounts on the computers in that OU, not domain user accounts, because the domain controllers themselves determine domain account password rules from the domain-linked GPO. Fine-Grained Password Policies, applied via Password Settings Objects (PSOs) rather than GPOs, are the supported way to give specific groups (like Domain Admins) a stricter password policy than the rest of the domain.
Cricket analogy: Domain-wide password policy is like an ICC regulation on bat dimensions that applies to every national team, while a local OU-linked equivalent is like one club changing its own practice-net rules — it doesn't touch how international matches are officiated.
Administrative Templates and ADMX Files
Administrative Templates are registry-based policy settings displayed under Policies > Administrative Templates in the Group Policy Management Editor, sourced from ADMX (language-neutral) and ADML (language-specific) files rather than the older ADM format. These cover thousands of settings across Windows components, Control Panel, Network, and installed applications like Microsoft Edge or Office, letting administrators enable, disable, or leave a setting Not Configured. Best practice is to set up a Central Store — a shared SYSVOL folder at \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions — so every admin's GPMC pulls ADMX templates from one authoritative, version-controlled location instead of each admin's local %SystemRoot%\PolicyDefinitions copy, which can drift out of sync across different admin workstations.
Cricket analogy: Administrative Templates are like the standardized rulebook categories (fielding restrictions, powerplay overs, DRS reviews) that every umpire references, and the Central Store is like the ICC's single official rulebook edition every match official must consult instead of their own personal copy.
Software Restriction and AppLocker
For controlling which executables, scripts, and installers users can run, administrators use either legacy Software Restriction Policies (SRP) or the more modern AppLocker, both configured through GPO under Windows Settings > Security Settings. AppLocker supports rule types for executables, Windows Installer packages, scripts, DLLs, and packaged apps, with each rule type defaulting to an Allow rule for administrators and a Deny for everyone else once any rule is created in that collection, so enabling AppLocker for a rule type without a broad default Allow rule can accidentally block legitimate Windows components. Rules can be based on file path, file hash, or publisher certificate, with publisher-based rules being the most maintainable since they survive application updates without needing new hashes.
Cricket analogy: AppLocker's publisher-based rules are like a stadium admitting any player wearing an officially certified team jersey regardless of which specific jersey batch was printed, more durable than checking each individual jersey's serial number (a hash-based rule).
# Set domain-wide password policy in a GPO linked at the domain root
Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -ValueName "RefusePasswordChange" -Type DWord -Value 0
# Query effective minimum password length for verification
Get-ADDefaultDomainPasswordPolicy | Select-Object MinPasswordLength, LockoutThreshold, ComplexityEnabled
# Create a Fine-Grained Password Policy for Domain Admins
New-ADFineGrainedPasswordPolicy -Name "DA-Strict-Policy" -Precedence 10 `
-MinPasswordLength 16 -ComplexityEnabled $true -MaxPasswordAge "30.00:00:00"
Add-ADFineGrainedPasswordPolicySubject -Identity "DA-Strict-Policy" -Subjects "Domain Admins"Fine-Grained Password Policies (FGPP), introduced in Windows Server 2008, are applied via Password Settings Objects and Active Directory's msDS-PasswordSettingsPrecedence attribute rather than through GPO linking, which is why they can give a security group like Domain Admins a stricter password policy without needing a separate OU structure.
Enabling AppLocker's executable rule collection with only a narrow set of custom rules — and no default 'Allow Everyone to run files in Program Files and Windows' rule — will block core Windows processes from running, potentially making the machine unusable at next logon. Always start with the built-in default rules before layering custom restrictions.
- Domain-wide Password Policy and Account Lockout Policy must be set in a GPO linked at the domain root to affect domain accounts.
- Fine-Grained Password Policies use Password Settings Objects, not GPOs, to give specific groups stricter password rules.
- Administrative Templates are sourced from ADMX/ADML files; a Central Store keeps them consistent across all admin workstations.
- AppLocker rule types (executable, installer, script, DLL, packaged app) each need default Allow rules to avoid breaking core Windows components.
- Publisher-based AppLocker rules are more maintainable than hash-based rules because they survive application updates.
- Get-ADDefaultDomainPasswordPolicy and New-ADFineGrainedPasswordPolicy are key cmdlets for verifying and creating password policy.
Practice what you learned
1. Where must a GPO be linked for its Password Policy settings to apply to domain user accounts?
2. What mechanism is used to give the Domain Admins group a stricter password policy than the rest of the domain?
3. What is the purpose of a Group Policy Central Store?
4. Why are AppLocker publisher-based rules generally preferred over hash-based rules?
5. What risk does enabling an AppLocker rule collection with only narrow custom rules introduce?
Was this page helpful?
You May Also Like
Group Policy Objects Explained
An introduction to Group Policy Objects (GPOs), how they store settings, and how they get applied to users and computers in Active Directory.
GPO Scope and Inheritance
How GPO scope is controlled through linking, security filtering, WMI filtering, Block Inheritance, and Enforced links, and how conflicts are resolved.
Group Policy Preferences
How Group Policy Preferences differ from Group Policy Policies, common preference extensions like drive maps and scheduled tasks, and item-level targeting.
Related Reading
Related Study Notes in Microsoft Technologies
Browse all study notesWindows 10 / UWP Development Study Notes
.NET · 30 topics
Microsoft TechnologiesWindows Batch Scripting Study Notes
Batch · 30 topics
Microsoft TechnologiesMFC (Microsoft Foundation Classes) Study Notes
C++ · 30 topics
Microsoft TechnologiesSilverlight Study Notes
.NET · 30 topics
Microsoft TechnologiesXAML Study Notes
.NET · 30 topics
Microsoft TechnologiesWPF (Windows Presentation Foundation) Study Notes
.NET · 30 topics