Ultimate Guide to Configuring Default Password Policy in Active Directory – Best Practices and Tips. By default, Active Directory is configured with a default domain password policy. This policy defines the password requirements for Active Directory user accounts such as password length, age, and so on.
Password Policy Settings
Enforce password history:
This setting defines how many unique passwords must be used before an old password can be reused. For example, if my current password is “Th334goore0!” then I can’t reuse that password until I’ve changed my password 24 times (or whatever number the policy is set to). This setting is useful so users don’t keep reusing the same password. The default setting is 24
Maximum password age:
This setting defines how long in days a password can be used before it needs to be changed. The default setting is 42 days
Minimum password age
This setting determines how long a password must be used before it can be changed. The default setting is 1 day
Minimum password length
This setting determines how many characters a password must have. The default is 7. This means my password must contain at least 7 characters.
Password must meet complexity requirements
If enabled passwords must meet these requirements:
- Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 digits (0 through 9)
- Non-alphabetic characters (for example, !, $, #, %)
This is enabled by default
Store passwords using reversible encryption
This setting determines if the operating system stores password using reversible encryption. This is essentially the same as storing the plantest versions of passwords. This policy should NEVER be set to enabled unless you have some very specific application requirements.
Modify Default Domain Password Policy
1. Log in to your Domain Controller (or use a windows client with installed RSAT). Click on the Start button and find in the apps list Windows Administrative Tools;
2. Click on Group Policy Management;
3. Find Default Domain Policy (Forest\Domains\<Domain Name>\Group Policy Objects);
If you need to modify some of the settings contained in the Default Domain Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the domain, and set the Enforce option.
TechNet: Linking GPOs
Do not modify the default domain policy or default domain controller policy unless necessary. Instead, create a new GPO at the domain level and set it to override the default settings in the default policies.
TechNet: Establishing Group Policy Operational Guidelines
4. Right Mouse Button click on Default Domain Policy and select Edit;
5. Go to Password Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Password Policy) and configured the password policies settings to the configuration you desire;
6. Enforce password history – how many passwords the system will remember. How many unique passwords user must use when every time reset the password;
7. Maximum Password Age – how long will the password lives After this period user, will be prompted to reset the password. (You may set “0” for “unlimited” age time);
8. Minimum Password Age – the user may change the password after this period. (You may set “0” for “unlimited” age time);
9. Minimum Password Length – how long will be your passwords, but not less than this value;
10. Password must meet complexity requirements – you may set this parameter if you need in very strong passwords (small “a” and big “A” letters, digits “1” and special symbols “!“);
11. Store passwords using reversible encryption – by default not used in the domain, only if the application required it.
You can also view the default password policy with Windows Powershell:
Get-ADDefaultDomainPasswordPolicy
TIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their password the next time they log on.
NOTE: Even if you apply the password policies to the “Domain Controllers” OU it will not modify the domain’s password policy. As far as I know, this is the only exception to the rule as to how GPOs apply to objects.