Ultimate Guide to Configuring Default Пароль Policy in Active Directory – Best Practices and Tips. За умовчанням, Active Directory is configured with a default домен пароль policy. This policy defines the пароль requirements for Active Directory user accounts such as пароль length, age, and so on.
Password Policy Settings
Enforce password history:
This setting defines how many unique passwords must be used before an old пароль can be reused. Наприклад, if my current пароль is “Th334goore0!” then I can’t reuse that пароль until I’ve changed my пароль 24 times (or whatever number the policy is set to). This setting is useful so users don’t keep reusing the same пароль. The default setting is 24
Maximum password age:
This setting defines how long in days a пароль can be used before it needs to be changed. The default setting is 42 днів
Minimum password age
This setting determines how long a пароль must be used before it can be changed. The default setting is 1 день
Minimum password length
This setting determines how many characters a пароль must have. The default is 7. This means my пароль must contain at least 7 characters.
Password must meet complexity requirements
If enabled passwords must meet these requirements:
- Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (наприклад, !, $, #, %)
This is enabled by default
Store passwords using reversible encryption
This setting determines if the operating system stores пароль using reversible encryption. This is essentially the same as storing the plantest versions of passwords. This policy should NEVER be set to enabled unless you have some very specific application requirements.
Modify Default Domain Password Policy
1. Журнал in to your Домен Контролер (or use a windows client with installed RSAT). Натисніть на Почніть button and find in the apps list вікна Administrative Tools;
2. Click on Управління груповою політикою;
3. Find Default Домен Policy (Forest\Domains\<Domain Name>\Group Policy Objects);
If you need to modify some of the settings contained in the Default Домен Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the домен, and set the Enforce варіант.
TechNet: Linking GPOs
Do not modify the default домен policy or default домен controller policy unless necessary. Instead, create a new GPO at the домен level and set it to override the default settings in the default policies.
TechNet: Establishing Group Policy Operational Guidelines
4. Права кнопка миші click on Default Домен Policy and select Редагувати;
5. Go to Пароль Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Password Policy) and configured the пароль policies settings to the configuration you desire;
6. Enforce пароль history – how many passwords the system will remember. How many unique passwords user must use when every time reset the пароль;
7. Maximum Пароль Age – how long will the пароль lives After this period user, will be prompted to reset the пароль. (You may set “0” for “unlimited” age time);
8. Minimum Пароль Age – the user may change the пароль after this period. (You may set “0” for “unlimited” age time);
9. Minimum Пароль Length – how long will be your passwords, but not less than this value;
10. Пароль must meet complexity requirements – you may set this parameter if you need in very strong passwords (small “a” and big “A” letters, digits “1” and special symbols “!“);
11. Store passwords using reversible encryption – by default not used in the домен, only if the application required it.
You can also view the default пароль policy with Windows Powershell:
Get-ADDefaultDomainPasswordPolicyTIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their пароль the next time they log on.
ПРИМІТКА: Even if you apply the пароль policies to the “Domain Controllers” OU it will not modify the domain’s пароль policy. As far as I know, this is the only exception to the rule as to how GPOs apply to objects.
