Menu

Skip to content
  • Home
  • Active Directory News
  • Topics
    • Active Directory Fundamentals
    • Active Directory Objects
    • Active Directory Policies
  • Forums
  • Active Directory Videos
  • Free AD Tools
  • About Us

Password Policy

Password Policy ensures that a user password is strong and is changed in a periodic manner so that it becomes highly impossible for an attacker to crack the password.

To edit Password Policy settings:

    • Go to Start Menu → Administrative Tools → Group Policy Management
    • In the console tree, expand the Forest and then Domains. Select the domain for which the Account policies have to be set
    • Double-click the domain to reveal the GPOs linked to the domain.
    • Right-click Default Domain Policy and select Edit. A Group Policy Editor console will open.
    • Now, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy
    • Double-click Password Policy to reveal the six password settings available in AD. Right-click any one of these settings and select Properties to define the policy setting
    • The Properties dialog box of each policy setting will have two tabs. The Security Policy Setting tab is where the value for that setting is set. The Explain tab gives a brief description about the policy setting and its default values
  • In the Security Policy Setting tab, check the Define this Policy Setting check box and enter the desired value. Click Apply and then OK

The six Password Policy settings available in Active Directory:

Enforce Password History

This setting determines the number of new passwords that have to be set, before an old password can be reused. It ensures that old passwords are not used continuously by users which will render the Minimum Password Age policy setting useless. The value can be set between 0 and 24. The default value is 24 on domain controllers and 0 on stand-alone servers.

For example, if the Enforce Password History value is set to 10, then the user must set 10 different password when the password expires before setting his/her password to an old value.

If the value is set to 0, then the password history is not remembered, and the user can reuse their old password when their password expires.

Maximum Password Age

This setting determines the maximum number of days a password can be used. Once the Maximum password age expires, users must change their password. It ensures that users don’t stick with one password forever. The value can be set between 0 and 999 days. The default value is 42.

For example, if the Maximum Password Age value is set to 60, then the user must change his/her password after every 60 days.

If the value is set to 0, then the password never expires, and the user is not required to change his/her password ever.

Minimum Password Age

This setting determines the minimum number of days a password must be in use before it can be changed. Only when the minimum password age expires, users are allowed to change their password. It ensures that users don’t change their password too often. The value can be set between 0 and 999 days. The default value is 1 for domain controllers and 0 for stand-alone servers.

For example, if the Minimum Password Age is set to 10, then the user cannot change his/her password for 10 days after the last password change.

This setting is used to ensure the effectiveness of Enforce Password History setting. If the Minimum Password Age is set to 0, then the user can change his/her password every 2 minutes or so until the value set for Enforce Password History is reached and reuse his/her favorite old password. By setting the Minimum Password Age to a certain value, a user cannot change his/her password often enough to render the Enforce Password History setting ineffective.

The value for Minimum Password Age should always be less than the Maximum Password Age.

Minimum Password Length

This setting determines the minimum number of characters a password should contain. The value can be set between 0 and 14. The default value is 7 on domain controllers and 0 on stand-alone servers.

For example, if the Minimum Password Length is set to 6, then the password must contain at least 6 characters.

If it is set to 0, then no password is required.

Passwords must meet complexity requirements

This setting determines whether the password must meet the complexity requirements specified. If this setting is enabled, passwords must meet the following requirements.

    • Not contain the user’s account name or part of the user’s full name that exceed two consecutive characters
    • The password is at least six characters long
  • The password contains characters from at least three of the following four categories:
      • English uppercase characters (A – Z)
      • English lowercase characters (a – z)
      • Base 10 digits (0 – 9)
    • Non-alphanumeric (For example: $, #, or %)

By default, this setting is enabled on domain controllers and disabled on stand-alone servers.

Store Passwords using reversible encryption

This security setting determines whether the password is stored using reversible encryption. If a password is stored using reversible encryption, then it becomes easier to decrypt the password. This setting is useful in certain cases, where an application or service requires the username and password of a user to perform certain functions. This setting should be enabled, only if it is absolutely necessary. By default, this setting is disabled.

  • Tweet

Comments

comments

1 Star2 Stars3 Stars4 Stars5 Stars (7 votes, average: 4.29 out of 5)
Tags: Account policies, administrative tools, alphanumeric, Enforce Password History, GPO, lowercase, Minimum Password Age, Minimum Password Length, Password policy, Password Policy settings, Passwords must meet complexity requirements, reversible encryption, security settings, Store Passwords, uppercase

Post navigation

← Active Directory Account Lockout Policy Explained GPO Inheritance →

Recent Topics

  • NTLM authentication and Kerberos authentication protocols explained
  • Microsoft Azure AD Outage caused by Cross-Cloud Migration Operation
  • Microsoft Exchange flaw: daily attacks surge as 8 percent of servers remain unpatched
  • Multiple airlines suffer data breach due to supply-chain cyberattack, frequent-flyer list compromised
  • Cyber-attack brings the Indian stock exchange to a grinding halt
  • Attackers turn to fake reCAPTCHA to con Microsoft 365 users in a new phishing attack
  • Firewall vendor rolls out fix to a critical flaw before it’s too late
  • Clubhouse chatroom breached: Letting third-party developer design app for Android users backfires
  • Global ransomware attacks against universities doubled year-on-year in 2020
  • Microsoft-themed content used as bait for half of credential-swiping phishing attacks
  • VMware patches critical RCE vulnerability that allowed attackers to execute code remotely
  • Attention: The Chinese may have hacked your Exchange email server
  • Microsoft’s Password Management Capabilities in Authenticator App Made Available to General Use
  • Microsoft releases Azure AD My Apps Collections and Risk Detections
  • Last year witnessed some of the biggest GDPR violation-related fines
  • Microsoft offers free tool to detect signs of SolarWinds malware code
  • Active Directory’s architectural limitations taken advantage of during Solorigate, says CrowdStrike CEO
  • Securing Machine identities is cyber-hygiene 101 in the digital transformation era
  • Microsoft announces advancements in Azure Front Door and Azure Firewall
  • Active Directory Hierarchical Framework
  • Active Directory Users and Computers

Active Directory Tools

  • ADManager PlusActive Directory Management &
    Reporting
    »Download
  • ADSelfService PlusSelf-Service Password Management »Download
  • ADAudit PlusReal-time Active Directory Auditing »Download
  • Exchange Reporter PlusExchange Server Auditing & Reporting »Download
  • RecoveryManager Plus Active Directory Backup & Recovery Tool »Download
5 Active Directory management challenges of 2021

© 2020 Zoho Corporation Pvt. Ltd. All Rights Reserved.