Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows
Server 2012 R2. You plan to use fine-grained password policies to customize the password policy settings
ofcontoso.com.
You need to identify to which Active Directory object types you can directly apply the fine-grained password
policies.
Which two object types should you identify? (Each correct answer presents part of the solution.
Choose two.)
A.
Users
B.
Global groups
C.
computers
D.
Universal groups
E.
Domain local groups
Explanation:
First off, your domain functional level must be at Windows Server 2008. Second, Fine-grained password
policies ONLY apply to user objects, and global security groups. Linking them to universal or domain local
groups is ineffective. I know what you’re thinking, what about OU’s? Nope, Fine-grained password policy cannot
be applied to an organizational unit (OU) directly. The third thing to keep in mind is, by default only members of
the Domain Admins group can set fine- grained password policies. However, you can delegate this ability to
other users if needed.
Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of
user objects) and global security groups.
You can apply Password Settings objects (PSOs) to users or global security groups:http://technet.microsoft.com/en-us/library/cc731589%28v=ws.10%29.aspx
http://technet.microsoft.com/en-us/library/cc770848%28v=ws.10%29.aspx
http://www.brandonlawson.com/active-directory/creating-fine-grained-password-policies/