Ultimate Guide to Configuring Default 密码 Policy in 活动目录 – Best Practices and Tips. 默认情况下, 活动目录 is configured with a default 领域 密码 policy. This policy defines the 密码 requirements for 活动目录 user accounts such as 密码 length, age, 等等.
Password Policy Settings
Enforce password history:
This setting defines how many unique passwords must be used before an old 密码 can be reused. 例如, if my current 密码 is “Th334goore0!” then I can’t reuse that 密码 until I’ve changed my 密码 24 times (or whatever number the policy is set to). This setting is useful so users don’t keep reusing the same 密码. The default setting is 24
Maximum password age:
This setting defines how long in days a 密码 can be used before it needs to be changed. The default setting is 42 天
Minimum password age
This setting determines how long a 密码 must be used before it can be changed. The default setting is 1 天
Minimum password length
This setting determines how many characters a 密码 must have. The default is 7. This means my 密码 must contain at least 7 characters.
Password must meet complexity requirements
If enabled passwords must meet these requirements:
- Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
- Be at least six characters in length
- Contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- Base 10 数字 (0 through 9)
- Non-alphabetic characters (例如, !, $, #, %)
This is enabled by default
Store passwords using reversible encryption
This setting determines if the operating system stores 密码 using reversible encryption. This is essentially the same as storing the plantest versions of passwords. This policy should NEVER be set to enabled unless you have some very specific application requirements.
Modify Default Domain Password Policy
1. 日志 in to your 领域 控制器 (or use a 视窗 client with installed RSAT). 单击 开始 button and find in the apps list 视窗 管理工具;
2. 点击 小组政策管理;
3. 寻找 Default 领域 Policy (Forest\Domains\<Domain Name>\Group Policy Objects);
If you need to modify some of the settings contained in the Default 领域 Policy GPO, it is recommended that you create a new GPO for this purpose, link it to the 领域, and set the Enforce 选项.
TechNet: Linking GPOs
Do not modify the default 领域 policy or default 领域 controller policy unless necessary. 反而, create a new GPO at the 领域 level and set it to override the default settings in the default policies.
TechNet: Establishing Group Policy Operational Guidelines
4. 鼠标右键 点击 Default 领域 Policy 并选择 编辑;
5. 前往 密码 Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Password Policy) and configured the 密码 policies settings to the configuration you desire;
6. Enforce 密码 history – how many passwords the system will remember. How many unique passwords user must use when every time reset the 密码;
7. Maximum 密码 Age – how long will the 密码 lives After this period user, will be prompted to reset the 密码. (您可以设置“0” for “unlimited” age time);
8. 最低限度 密码 Age – the user may change the 密码 after this period. (您可以设置“0” for “unlimited” age time);
9. 最低限度 密码 Length – how long will be your passwords, but not less than this value;
10. 密码 must meet complexity requirements – you may set this parameter if you need in very strong passwords (small “a” and big “一个” letters, digits “1” and special symbols “!“);
11. Store passwords using reversible encryption – by default not used in the 领域, only if the application required it.
You can also view the default 密码 policy with Windows Powershell:
Get-ADDefaultDomainPasswordPolicyTIP: Make sure you inform all your users when you are going to do this as it may trigger them to change their 密码 the next time they 日志 在.
笔记: Even if you apply the 密码 policies to the “Domain Controllers” OU it will not modify the domain’s 密码 policy. As far as I know, this is the only exception to the rule as to how GPOs apply to objects.
