Ultimate Guide to Configuring Default Password Policy in Directory attiva – Best Practices and Tips. Per impostazione predefinita, Directory attiva is configured with a default dominio password policy. This policy defines the password requirements for Directory attiva user accounts such as password length, age, and so on.
Password Policy Settings
Enforce password history:
This setting defines how many unique passwords must be used before an old password can be reused. Per esempio, if my current password is “Th334goore0!” then I can’t reuse that password until I’ve changed my password 24 times (or whatever number the policy is set to). This setting is useful so users don’t keep reusing the same password. The default setting is 24
Maximum password age:
This setting defines how long in days a password can be used before it needs to be changed. The default setting is 42 giorni
Minimum password age
This setting determines how long a password must be used before it can be changed. The default setting is 1 giorno
Minimum password length
This setting determines how many characters a password must have. The default is 7. This means my password must contain at least 7 characters.
Password must meet complexity requirements
If enabled passwords must meet these requirements:
- Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (Per esempio, !, $, #, %)
This is enabled by default
Store passwords using reversible encryption
This setting determines if the operating system stores password using reversible encryption. This is essentially the same as storing the plantest versions of passwords. This policy should NEVER be set to enabled unless you have some very specific application requirements.
Modify Default Domain Password Policy
1. Tronco d'albero in to your Dominio Controllore (or use a finestre client with installed RSAT). Fare clic su Inizio button and find in the apps list Finestre Strumenti amministrativi;
2. Fare clic su Gestione delle politiche di gruppo;
3. Trovare Predefinito Dominio Policy (Forest\Domains\<Domain Name>\Group Policy Objects);
If you need to modify some of the settings contained in the Predefinito Dominio Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the dominio, and set the Enforce option.
TechNet: Linking GPOs
Do not modify the default dominio policy or default dominio controller policy unless necessary. Instead, create a new GPO at the dominio level and set it to override the default settings in the default policies.
TechNet: Establishing Group Policy Operational Guidelines
4. Pulsante mouse destro fare clic su Predefinito Dominio Policy e seleziona Modificare;
5. Vai a Password Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Password Policy) and configured the password policies settings to the configuration you desire;
6. Enforce password history – how many passwords the system will remember. How many unique passwords user must use when every time reset the password;
7. Maximum Password Age – how long will the password lives After this period user, will be prompted to reset the password. (Puoi impostare "0” for “unlimited” age time);
8. Minimo Password Age – the user may change the password after this period. (Puoi impostare "0” for “unlimited” age time);
9. Minimo Password Length – how long will be your passwords, but not less than this value;
10. Password must meet complexity requirements – you may set this parameter if you need in very strong passwords (small “UN” and big “A” letters, digits “1” and special symbols “!“);
11. Store passwords using reversible encryption – by default not used in the dominio, only if the application required it.
You can also view the default password policy with Windows Powershell:
Get-ADDefaultDomainPasswordPolicyTIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they tronco d'albero SU.
NOTA: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know, this is the only exception to the rule as to how GPOs apply to objects.
