It is not a GPO!!! – FGPP can be set up via Powershell script or manually with adsiedit. Other tools can help you to mange FGPP: ie. Scriptlogic ActiveAdministrator… Microsoft MVP Christoffer Andersson released a Microsoft Management Console (MMC) snap-in and Windows PowerShell cmdlet for FGPP management, which up until the release of Andersson’s FGPP tool, required the use of Adsiedit to manage. The tool is available from blogs.chrisse.se/blogs/chrisse/pages/fine-grain-password-policy-tool.aspx, which has a good user’s guide.

Method 1 : with adsiedit.msc ;  http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

 Method 2 : PowerShell native commandlets in Windows Server 2008 R2 :

PSO creation:  ex: Set-ADFineGrainedPasswordPolicy “ITAdminsPSO” -MinPasswordLength 8 -…

          Link the PSO to a user or group (not an OU!): ex: Add-ADFineGrainedPasswordPolicySubject ITAdminsPSO -Subjects ‘(*** All Admin Accounts ***)’

           Example : http://itadministrators1.blogspot.fr/2011/02/search-modify-apply-remove-delete-fine.html

Regarding the permissions required to create a PSO, technet says:

  • Permissions: By default, only members of the Domain Admins group can create PSOs. Only members of this group have the Create Child and Delete Child permissions on the Password Settings Container object. In addition, only members of the Domain Admins group have Write Property permissions on the PSO by default. Therefore, only members of the Domain Admins group can apply a PSO to a group or user. You do not have to have permissions on the user object or group object to be able to apply a PSO to it. To apply a PSO to the user object or group object, you must have Write permissions on the PSO object.
  • Permissions delegation: You can delegate Read Property permissions on the default security descriptor of the PSO object in the schema to any other group (such as Help desk personnel or a management application) in the domain or forest. This can also prevent a user from seeing his or her password settings in the directory. The user can read the msDS-ResultantPSO or the msDS-PSOApplied attributes, but these attributes display only the distinguished name of the PSO that applies to the user. The user cannot see the settings within that PSO. For more information, see Appendix C: Group-Based Management of Fine-Grained Password and Account Lockout Policies.