How to Set and Manage Active Directory Password Policy

With cyberattacks exploding around the worldly concern, it ’ mho more significant than ever for organizations to have a full-bodied password policy. Hackers frequently gain entree to bodied networks through legalize exploiter or admin credentials, leading to security incidents and complaisance failures. In this article, we will explore how to create and maintain a strong and effective Active Directory password policy .

How Attackers Compromise Corporate Passwords

Hackers use a variety of techniques to compromise corporate passwords, including the following :

  • Brute force attack — Hackers run programs that enter various potential password combinations until they hit upon the right one.
  • Dictionary attack — This is a specific form of brute force attack that involves trying words found in the dictionary as possible passwords.
  • Password spraying attack — Hackers enter a known username or other account identifier and try multiple common passwords to see if they work.
  • Credential stuffing attack — Hackers use automated tools to enter lists of credentials against various company login portals.
  • Spidering — Malicious users collect as much information as possible about a hacking target, and then try out password combinations created using that data.

How to View and Edit Active Directory Password policy

To defend against these attacks, organizations need a solid Active Directory password policy. Password policies define different rules for password initiation, such as minimum distance, details about the complexity ( like whether a special character is required ), and the distance of time the password lasts before it must be changed .
Default Domain Policy is a Group Policy object ( GPO ) that contains settings that affect all objects in the knowledge domain. To position and configure a domain password policy, admins can use the Group Policy Management Console ( GPMC ). Expand the Domains booklet and choose the domain whose policy you want to access, and then choose Group Policy Objects. Right-click the Default Domain Policy folder and choice Edit. Navigate to Computer Configuration -> Policies -> Windows Settings ->  Security Settings -> Account Policies ->  Password Policy.

alternatively, you can access your world password policy by executing the following PowerShell command :


Remember, any changes you make to the nonpayment world password policy practice to every report within that domain. You can create and manage close-grained password policies using the Active Directory Management Center ( ADAC ) in Windows Server .

Understanding AD Password Policy Settings

here are the six password policy settings and their nonpayment values :

  • Enforce password history — Default is 24. This setting specifies the number of unique passwords users must create before reusing an old password. Keeping the default value is recommended to reduce the risk of users having passwords that have been compromised.
  • Maximum password age — Default is 42. This setting establishes how long a password can exist before the system forces the user to change it. Users typically get a pop-up warning when they reach the end of their password expiration period. You can check this setting through PowerShell by executing the command net user USERNAME/domain. Keep in mind that forcing frequent password changes can lead to users writing their passwords down or adopting practices like appending the month to a stem word they reuse, which actually increase security risks. Setting “Maximum password age” to 0 means that passwords never expire (which is generally not recommended).
  • Minimum password age — Default is 1 day. This setting specifies how long a password must exist before the user is permitted to change it. Setting a minimum age keeps users from resetting their password repeatedly to circumvent the “Enforce password history” setting and reuse a favorite password immediately.
  • Minimum password length — Default is 7. This setting establishes the fewest number of characters a password can have. While shorter passwords are easier for hackers to crack, requiring really long passwords can lead to lockouts from mistyping and to security risks from users writing down their passwords.
  • Complexity requirements — Default is Enabled. This setting details the types of characters a user must include in a password string. Best practices recommend enabling this setting with a minimum password length of at least 8; this makes it harder for brute force attacks to succeed. Complexity requirements typically require the password to include a mix of:
    • Upper or lowercase letters (A through Z and a through z)
    • Numeric characters (0–9)
    • Non-alphanumeric characters like $, # or %
    • No more than two symbols from the user’s account name or display name
  • Store passwords using reversible encryption — Default is Disabled. This setting offers support for apps that require users to enter a password for authentication. Admins should keep this setting disabled because enabling it would allow attackers familiar with how breaking this encryption to log into the network once they compromise the account. As an exception, you can enable this setting when using Internet Authentication Services (IAS) or the Challenge Handshake Authentication Protocol (CHAP).

close-grained Policy and How It ’ south Configured

Older versions of AD allowed the creation of fair one password policy for each world. The introduction of powdered password policies ( FGPP ) in later versions of AD has made it possible for admins to create multiple password policies to better fitting business needs. For model, you might want to require admin accounts to use more complex passwords than regular user accounts. It ’ randomness crucial that you define your organizational structure thoughtfully so it maps to your desire password policies .
While you define the default sphere password policy within a GPO, FGPPs are set in password settings objects ( PSOs ). To set them up, open the ADAC, click on your knowledge domain, navigate to the System folder, and then click on the Password Settings Container .

NIST SP 800-63 Password Guidelines

The National Institute of Standards ( NIST ) is a federal agency charged with issuing controls and requirements around managing digital identities. special Publication 800-63B covers standards for passwords. Revision 3 of SP 800-63B, issued in 2017 and updated in 2019, is the current standard .
These guidelines provide organizations with a foundation for building a robust password security infrastructure. NIST recommendations include the following :

  • Require user-generated passwords to be at least 8 characters long (6 for machine-generated ones).
  • Allow users to create passwords up to 64 characters long.
  • Allow users to use any ASCII/Unicode characters in their passwords.
  • Disallow passwords with sequential or repeated characters.
  • Do not require frequent password changes. Although for years, many organizations have required users to change their passwords frequently, this policy often leads to users making incremental changes to a base password, writing their passwords down, or experiencing lockouts because they forget their new passwords. Accordingly, the latest NIST 800-63B standards call for using password expiration policies carefully. More recent research suggests that better alternatives include using banned password lists, using longer passphrases and enforcing multi-factor authentication for additional security.

AD Password Policy Best Practices

More broadly, administrators should make sure to :

  • Set a minimum password length of 8 characters.
  • Establish password complexity requirements.
  • Enforce a password history policy that looks back at the last 10 passwords of a user.
  • Make the minimum password age 3 days.
  • Reset local admin passwords every 180 days (consider using the free Netwrix Bulk Password Reset tool for that).
  • Reset device account passwords during maintenance once per year.
  • Require passwords for domain admin accounts to be at least 15 characters long.
  • Set up email notifications to let users know passwords are set to expire (the free Netwrix Password Expiration Notifier tool can help).
  • Consider creating granular password policies to link up with specific organizational units instead of editing the Default Domain Policy settings.
  • Use banned password lists.
  • Use password management tools to store multiple passwords.

For more data, read our password policy best practices for solid security in AD .
User education is equitable a all-important as any password policy. Educate your users on the following rules of demeanor :

  • Don’t write down passwords. Instead, pick strong passwords or passphrases you can recall easily, and use password management tools.
  • Don’t type your password when anyone is watching.
  • Understand that HTTPS:// addresses are more secure than HTTP:// URLs.
  • Don’t use the same password for multiple websites that provide access to sensitive information.


How do I find and edit my Active Directory password policy?
You can find your current AD password policy for a specific domain either by navigating to Computer Configuration  -> Policies -> Windows Settings -> Security Settings -> Account Policies ->  Password Policy via the management comfort, or by using the PowerShell control Get-ADDefaultDomainPasswordPolicy .
Are passwords encrypted in Active Directory?
Yes. Passwords created by a drug user go through a hash algorithm that encrypts them .
What is Active Directory password complexity?
complexity requirements control the characters that can not or can not be included in a password. For case, users might be prevented from using their username as their password, or required to include at least one number and one lowercase letter in the password .
What is Windows Server password policy?
Windows Server password policy controls passwords for accessing Windows servers .
How do I find, edit or disable a password policy in Windows Server?
Locate the GPO through the Group Policy Management Console and click Edit.

What is a good password policy?
Best practices include the follow :

  • Make users create at least10 new passwords before reusing an old one.
  • Apply a maximum password age of 42 days.
  • Apply a minimum password age of 3 days.
  • Make users create passwords that are at least 8 characters long.
  • Enable the “Complexity requirements” option.
  • Disable reversible encryption.

1299535882 bpfull Jeff Melnick
Jeff is a former Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience .


source :
Category : Tech

About admin

I am the owner of the website, my purpose is to bring all the most useful information to users.

Check Also


Manage participants in a zoom meeting webinar

Call the people who attend the meet as follows Alternate host host Who scheduled the …

Leave a Reply

Your email address will not be published.