Product SiteDocumentation Site

11.4. Creating Group-Level Password Policies

Group-level policies override the global policies and offer specific policies that only apply to group members. Password policies are not cumulative. Either a group policy or the global policy is in effect for a user or group, but not both simultaneously.
Group-level policies do not exist by default, so they must be created manually.


It is not possible to set a password policy for a non-existent group.

11.4.1. With the Web UI

  1. Click the Policy tab, and then click the Password Policies subtab.
  2. All of the policies in the UI are listed by group. The global password policy is defined by the global_policy group. Click the group link.
  3. Click the Add link at the top.
  4. In the pop-up box, select the group for which to create the password policy.
  5. Set the priority of the policy. The higher the number, the lower the priority.
    Only one password policy is in effect for a user, and that is the highest priority policy.


    The priority cannot be changed in the UI once the policy is created.
  6. Click the Add and Edit button so that the policy form immediately opens.
  7. Set the policy fields. Leaving a field blank means that attribute is not added the password policy configuration.
    • Max lifetime sets the maximum amount of time, in days, that a password is valid before a user must reset it.
    • Min lifetime sets the minimum amount of time, in hours, that a password must remain in effect before a user is permitted to change it. This prevents a user from attempting to change a password back immediately to an older password or from cycling through the password history.
    • History size sets how many previous passwords are stored. A user cannot re-use a password that is still in the password history.
    • Character classes sets the different categories of character that must be used in the password. For example, a character class can be a number, special character, or capital; the complete list of categories is in Table 11.1, “Password Policy Settings”. This is part of setting the complexity requirements.
    • Min length sets how many characters must be in a password. This is part of setting the complexity requirements.

11.4.2. With the Command Line

Password policies are added with the pwpolicy-add command.
$ ipa pwpolicy-add groupName --attribute-value
For example:
$ ipa pwpolicy-add examplegroup --minlife=7 --maxlife=49 --history= --priority=1 
Group: examplegroup
Max lifetime (days): 49
Min lifetime (hours): 7
Priority: 1


Setting an attribute to a blank value effectively removes that attribute from the password policy.