Call Us! 1-800-383-5193
Call Us! 1-800-383-5193
Call Us! 1-800-383-5193

Need Help?

Emergency Response Time custom

Our experts have had an average response time of 11.06 minutes in March 2021 to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price.

Domain Password Policy in the Active Directory – How to configure

by | Mar 31, 2021

We configure Domain Password Policy in the Active Directory to ensure a high level of security for user accounts.

With sufficient complexity, password length, and the frequency of changing user and service account passwords, it will be hard for an attacker to brute-force or capture user passwords.

As part of our Server Management Services, we assist our customers with several Active Directory queries.

Today, let us see how to configure Domain Password Policy in the Active Directory.


Password Policy in the Default Domain Policy

By default, we use the Group Policy (GPO) settings to set common requirements for user passwords in the AD domain.

This policy links to the root of the domain and must apply to a domain controller with the PDC emulator role.

To configure the AD account password policy, our Support Techs suggest the following steps:

  1. Initially, open the Group Policy Management console (gpmc.msc)
  2. Expand the domain and find the GPO named Default Domain Policy. Right-click it and select Edit
  3. Password policies are in: Computer configuration-> Policies-> Windows Settings->Security Settings -> Account Policies -> Password Policy
  4. Double-click a policy setting to edit it. To enable a specific policy setting, check the Define this policy setting and specify the necessary value. Save the changes.
  5. This will set a new password policy to all domain computers in the background, during computer boot or we can apply the policy immediately by running the gpupdate /force command.

We can change the password policy settings from the GPO Management Console or by using:

Set-ADDefaultDomainPasswordPolicy -Identity -MinPasswordLength 10 -LockoutThreshold 3


Basic Password Policy Settings on Windows

There are six password settings in GPO:

  • Enforce password history

Here, we can determine the number of old passwords in AD, thus preventing a user from using an old password.

However, the domain admin or user who has password reset permissions can manually set the old password for the account.

  • Maximum password age

Here, we can set the password expiration in days. Once it expires, Windows will ask us to change the password.

To find when a specific user’s password expires, we run:

Get-ADUser -Identity c.bob -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name=”ExpirationDate”;Expression= {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}
  • Minimum password length

Our Support Techs recommend having passwords that contain at least 8 symbols.

  • Minimum password age

This sets how often we can change passwords. This will not allow the user to change the password too often to get back to an old password by removing them from the Password History once the password changes several times in a row.

As a precaution, it is worth setting 1 day here in order for users to change a password themselves if it compromises.

  • Password must meet complexity requirements

Once we enable the policy, a user cannot use the account name in a password, also 3 types of symbols must be used in the password: numbers (0–9), uppercase letters, lowercase letters, and special characters.

In addition, to prevent weak passwords, we recommend regularly audit user passwords in the AD domain.

  • Store passwords using reversible encryption

User passwords encrypt in the AD database, but in some cases, we have to grant access to user passwords to some apps. If we do so, passwords are less protected. It is not secure.

If a user tries to change a password that does not match the password policy in the domain, the error message will appear:

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Additionally, we should configure the following password settings in the GPO section Account Lockout Password:

  1. Account Lockout Threshold: the number of failed sign-in attempts that can be made by the user prior to the lockout of his account.
  2. Account Lockout Duration: how long an account will lock if the user enters the wrong password several times.
  3. Reset account lockout counter after – the number of minutes after which the Account Lockout Threshold counter will be reset.

If the specific domain account locks out too often, we can identify the source of account lockouts using this method.

The default settings of password policies in the AD domain are:

Policy                                                   Default value

Enforce password history                                      24 passwords
Maximum password age                                          42 days
Minimum password age                                          1 day
Minimum password length                                       7
Password must meet complexity requirements                    Enabled
Store passwords using reversible encryption                   Disabled
Account lockout duration                                      Not set
Account lockout threshold                                     0
Reset account lockout counter after                           Not set

Generally, Microsoft recommends using the following password policy settings:

  • Enforce Password History: 24
  • Maximum password age: not set
  • Minimum password age: not set
  • Minimum password length: 14
  • Password must meet complexity: Enabled
  • Store passwords using reversible encryption: Disabled


How to Check the Current Password Policy in AD Domain

We can see the current password policy settings in the Default Domain Policy in the gpmc.msc console (on the Settings tab).

We can also display password policy information using the command:

ComplexityEnabled: True
DistinguishedName: DC=woshub,DC=com
LockoutDuration: 00:20:00
LockoutObservationWindow: 00:30:00
LockoutThreshold: 0
MaxPasswordAge: 60.00:00:00
MinPasswordAge: 1.00:00:00
MinPasswordLength: 8
objectClas : {domainDNS}
PasswordHistoryCount: 24
ReversibleEncryptionEnabled: False

In addition, we can check the current AD password policy settings on any domain computer using the gpresult command.


Multiple Password Policies in an Active Directory Domain

The domain controller, the owner of the PDC Emulator FSMO role, manages the domain password policy. Domain administrator rights are to edit the Default Domain Policy settings.

Initially, we have only one password policy in the domain, which applies to the domain root and affects all users without exception.

Domain password policy only affects user AD objects.

Prior to Active Directory in Windows Server 2008, only one password policy could be configured per domain.

However, in newer versions of AD, we can create multiple password policies for different users or groups using the Fine-Grained Password Policies (FGPP).

For example, we can create a PSO with increased password length or complexity for domain admin accounts or make passwords of some accounts more simple or even disable them completely.

In a workgroup environment, we have to configure password policies on each computer with the local GPO editor – gpedit.msc.

[Need help with the configuration? We are here for you]



in short, configuring Domain Password Policy in the Active Directory ensures a high level of security for user accounts. Today, we saw an effective method to configure the same.


Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.


var google_conversion_label = "owonCMyG5nEQ0aD71QM";


Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center


Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]


Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid


Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie


These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.