Configuring a Domain Password Policy in the Active Directory

To ensure a high level of security for user accounts in the Active Directory domain, an administrator must configure and implement a domain password policy. The password policy should provide sufficient complexity, password length, and the frequency of changing of user and service account passwords. Thus, you can make it hard for an attacker to brute-force or capture user passwords when send over a network.

Password Policy in the Default Domain Policy

By default, to set common requirements for user passwords in the AD domain the Group Policy (GPO) settings  are used. The password policy of the domain user accounts is configured in the Default Domain Policy. This policy is linked to the root of the domain and must be applied to a domain controller with the PDC emulator role.

1. To configure the AD account password policy, open the Group Policy Management console (gpmc.msc);
2. Expand your domain and find the GPO named Default Domain Policy. Right-click it and select Edit;
3. Password policies are located in the following GPO section: Computer configuration-> Policies-> Windows Settings->Security Settings -> Account Policies -> Password Policy;
4. Double-click a policy setting to edit it. To enable a specific policy setting, check the Define this policy settings and specify the necessary value (on the screenshot below, I have set the minimum password length to 8 characters). Save the changes;
5. The new password policy settings will be applied to all domain computers in the background in some time (90 minutes), during computer boot, or you can apply the policy immediately by running the gpupdate /force command.

You can change the password policy settings from the GPO Management console or by using the PowerShell cmdlet Set-ADDefaultDomainPasswordPolicy:

Set-ADDefaultDomainPasswordPolicy -Identity woshub.com -MinPasswordLength 10 -LockoutThreshold 3

Basic Password Policy Settings on Windows

Let’s consider all available Windows password settings. There are six password settings in GPO:

• Enforce password history – determines the number of old passwords stored in AD, thus preventing a user from using an old password.
  However, the domain admin or user who has been delegated password reset permissions in AD can manually set the old password for the account;
• Maximum password age – sets the password expiration in days. After the password expires, Windows will ask the user to change the password. Ensures the regularity of password changes by users;
  You can find out when a specific user’s password expires using the PowerShell: Get-ADUser -Identity j.werder -Properties msDS-UserPasswordExpiryTimeComputed | select-object @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") }}
• Minimum password length – it is recommended that passwords should contain at least 8 symbols (if you specify 0 here, the password is not required);
• Minimum password age – sets how often users can change their passwords. This setting won’t allow the user to change the password too often to get back to an old password they like by removing them from the Password History after the password has been changed several times in a row. As a rule, it is worth to set 1 day here in order users can change a password themselves if it gets compromised (otherwise an administrator will have to change it);
• Password must meet complexity requirements – if the policy is enabled, a user cannot use the account name in a password (not more than 2 symbols of a username or Firstname in a row), also 3 types of symbols must be used in the password: numbers (0–9), uppercase letters, lowercase letters and special characters ($, #, %, etc.). Also, to prevent using weak passwords (from the password dictionary), it is recommended to regularly audit user passwords in the AD domain;
• Store passwords using reversible encryption – user passwords are stored encrypted in the AD database, but in some cases you have to grant access to user passwords to some apps. If this policy setting is enabled, passwords are less protected (almost plain text). It is not secure (an attacker can get access to the password database if the DC is compromised; an read-only domain controllers (RODC) can be used as one of the protection measures).

If a user tries to change a password that does not match the password policy in the domain, the error message will appear:

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

In additional, the following password settings should be configured in the GPO section Account Lockout Password:

• Account Lockout Threshold – the number of failed sign-in attempts (with a wrong password) can be made by user prior to the lockout of his account;
• Account Lockout Duration – how long an account will be locked, if the user has entered the wrong password several times;
• Reset account lockout counter after – the number of minutes after which the Account Lockout Threshold counter will be reset.

The default settings of password policies in the AD domain are listed in the table below:

In the Security Compliance Toolkit, Microsoft recommends using the following password policy settings:

• Enforce Password History: 24
• Maximum password age: not set
• Minimum password age: not set
• Minimum password length: 14
• Password must meet complexity: Enabled
• Store passwords using reversible encryption: Disabled

How to Check the Current Password Policy in AD Domain?

You can see the current password policy settings in the Default Domain Policy in the gpmc.msc console (on the Settings tab).

You can also display password policy information using PowerShell (the AD PowerShell module must be installed on the computer):

Get-ADDefaultDomainPasswordPolicy

ComplexityEnabled: True
DistinguishedName: DC=woshub,DC=com
LockoutDuration: 00:20:00
LockoutObservationWindow: 00:30:00
LockoutThreshold: 0
MaxPasswordAge: 60.00:00:00
MinPasswordAge: 1.00:00:00
MinPasswordLength: 8
objectClas : {domainDNS}
PasswordHistoryCount: 24
ReversibleEncryptionEnabled: False

Also, you can check the current AD password policy settings on any domain computer using the gpresult command.

Multiple Password Policies in an Active Directory Domain

The domain controller, the owner of the PDC Emulator FSMO role, is responsible for managing the domain password policy. Domain administrator rights are required to edit the Default Domain Policy settings.

Initially, there could be only one password policy in the domain, which is applied to the domain root and affects all users without exception (there are some nuances, but we’ll talk about them later). Even if you create a new GPO with different password settings and apply it to the specific OU with the Enforced and Block Inheritance parameters, it will not apply to users.

Prior to Active Directory in Windows Server 2008, only one password policy could be configured per domain. In newer versions of AD, you can create multiple password policies for different users or groups using the Fine-Grained Password Policies (FGPP). Grained Password Policies let you create and enforce different Password Settings Objects (PSOs). For example, you can create a PSO with increased password length or complexity for domain admin accounts, or make passwords of some accounts more simple or even disable them completely.