We configure Domain Password Policy in the Active Directory to ensure a high level of security for user accounts.

With sufficient complexity, password length, and the frequency of changing user and service account passwords, it will be hard for an attacker to brute-force or capture user passwords.

As part of our Server Management Services, we assist our customers with several Active Directory queries.

Today, let us see how to configure Domain Password Policy in the Active Directory.

Password Policy in the Default Domain Policy

By default, we use the Group Policy (GPO) settings to set common requirements for user passwords in the AD domain.

This policy links to the root of the domain and must apply to a domain controller with the PDC emulator role.

To configure the AD account password policy, our Support Techs suggest the following steps:

1. Initially, open the Group Policy Management console (gpmc.msc)
2. Expand the domain and find the GPO named Default Domain Policy. Right-click it and select Edit
3. Password policies are in: Computer configuration-> Policies-> Windows Settings->Security Settings -> Account Policies -> Password Policy
4. Double-click a policy setting to edit it. To enable a specific policy setting, check the Define this policy setting and specify the necessary value. Save the changes.
5. This will set a new password policy to all domain computers in the background, during computer boot or we can apply the policy immediately by running the gpupdate /force command.

We can change the password policy settings from the GPO Management Console or by using:

Set-ADDefaultDomainPasswordPolicy -Identity woshub.com -MinPasswordLength 10 -LockoutThreshold 3

Basic Password Policy Settings on Windows

There are six password settings in GPO:

• Enforce password history

Here, we can determine the number of old passwords in AD, thus preventing a user from using an old password.

However, the domain admin or user who has password reset permissions can manually set the old password for the account.

• Maximum password age

Here, we can set the password expiration in days. Once it expires, Windows will ask us to change the password.

To find when a specific user’s password expires, we run:

Get-ADUser -Identity c.bob -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name=”ExpirationDate”;Expression= {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}

• Minimum password length

Our Support Techs recommend having passwords that contain at least 8 symbols.

• Minimum password age

This sets how often we can change passwords. This will not allow the user to change the password too often to get back to an old password by removing them from the Password History once the password changes several times in a row.

As a precaution, it is worth setting 1 day here in order for users to change a password themselves if it compromises.

• Password must meet complexity requirements

Once we enable the policy, a user cannot use the account name in a password, also 3 types of symbols must be used in the password: numbers (0–9), uppercase letters, lowercase letters, and special characters.

In addition, to prevent weak passwords, we recommend regularly audit user passwords in the AD domain.

• Store passwords using reversible encryption

User passwords encrypt in the AD database, but in some cases, we have to grant access to user passwords to some apps. If we do so, passwords are less protected. It is not secure.

If a user tries to change a password that does not match the password policy in the domain, the error message will appear:

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Additionally, we should configure the following password settings in the GPO section Account Lockout Password:

1. Account Lockout Threshold: the number of failed sign-in attempts that can be made by the user prior to the lockout of his account.
2. Account Lockout Duration: how long an account will lock if the user enters the wrong password several times.
3. Reset account lockout counter after – the number of minutes after which the Account Lockout Threshold counter will be reset.

If the specific domain account locks out too often, we can identify the source of account lockouts using this method.

The default settings of password policies in the AD domain are:

Policy                                                   Default value

Enforce password history                                      24 passwords
Maximum password age                                          42 days
Minimum password age                                          1 day
Minimum password length                                       7
Password must meet complexity requirements                    Enabled
Store passwords using reversible encryption                   Disabled
Account lockout duration                                      Not set
Account lockout threshold                                     0
Reset account lockout counter after                           Not set

Generally, Microsoft recommends using the following password policy settings:

• Enforce Password History: 24
• Maximum password age: not set
• Minimum password age: not set
• Minimum password length: 14
• Password must meet complexity: Enabled
• Store passwords using reversible encryption: Disabled

How to Check the Current Password Policy in AD Domain

We can see the current password policy settings in the Default Domain Policy in the gpmc.msc console (on the Settings tab).

We can also display password policy information using the command:

Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled: True
DistinguishedName: DC=woshub,DC=com
LockoutDuration: 00:20:00
LockoutObservationWindow: 00:30:00
LockoutThreshold: 0
MaxPasswordAge: 60.00:00:00
MinPasswordAge: 1.00:00:00
MinPasswordLength: 8
objectClas : {domainDNS}
PasswordHistoryCount: 24
ReversibleEncryptionEnabled: False

In addition, we can check the current AD password policy settings on any domain computer using the gpresult command.

Multiple Password Policies in an Active Directory Domain

The domain controller, the owner of the PDC Emulator FSMO role, manages the domain password policy. Domain administrator rights are to edit the Default Domain Policy settings.

Initially, we have only one password policy in the domain, which applies to the domain root and affects all users without exception.

Domain password policy only affects user AD objects.

Prior to Active Directory in Windows Server 2008, only one password policy could be configured per domain.

However, in newer versions of AD, we can create multiple password policies for different users or groups using the Fine-Grained Password Policies (FGPP).

For example, we can create a PSO with increased password length or complexity for domain admin accounts or make passwords of some accounts more simple or even disable them completely.

In a workgroup environment, we have to configure password policies on each computer with the local GPO editor – gpedit.msc.

[Need help with the configuration? We are here for you]

Conclusion

in short, configuring Domain Password Policy in the Active Directory ensures a high level of security for user accounts. Today, we saw an effective method to configure the same.