In this article, you will learn how to configure the Active Directory Domain password policy. 

You will also learn: 

What is The Default Domain Password Policy?

By default, Active Directory is configured with a default domain password policy. This policy defines the password requirements for Active Directory user accounts such as password length, age and so on. 

This password policy is configured by group policy and linked to the root of the domain. To view the password policy follow these steps: 

1. Open the group policy management console 

2.  Expand Domains, your domain, then group policy objects

3. Right click the default domain policy and click edit

4. Now navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy

You can also view the default password policy with Powershell using this command. 

Get-ADDefaultDomainPasswordPolicy

Important: The default password policy is applied to all computers in the domain. If you want to apply different password policies to a group of users then it is best practice to use fine grained password policy. Do not create a new GPO and link it to an OU, this is not recommended. 

Recommended Tool: Active Directory Cleanup Tool

Find inactive users and computers, keep AD secure and clean.

Download your copy of Active Directory Cleanup Tool

Understand Password Policy Settings

Now that you know how to view the domain default password policy lets look at the settings. 

Enforce password history:

This setting defines how many unique passwords must be used before an old password can be reused. For example, if my current password is “Th334goore0!” then I can’t reuse that password until I’ve changed my password 24 times (or whatever number the policy is set to). This setting is useful so users don’t keep reusing the same password.  The default setting is 24 

Maximum password age: 

This setting defines how long in days a password can be used before it needs to be changed. The default setting is 42 days

Minimum password age

This setting determines how long a password must be used before it can be changed. The default setting is 1 day

Minimum password length

This setting determines how many characters a password must have. The default is 7.  This means my password must contain at least 7 characters. 

Password must meet complexity requirements

If enabled passwords must meet these requirements: 

  • Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
  • Be at least six characters in length
  • Contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (for example, !, $, #, %)

This is enabled by default

Store passwords using reversible encryption

This setting determines if the operating systems stores passwords using reversible encryption. This is essentially the same as storing plantest versions of passwords. This policy should NEVER be set to enabled unless you have some very specific application requirements. 

Password Policy Best Practices

There are different opinions on this so I’m going to reference two sources. Also, your organization’s password policy may be driven by compliance/regulation requirements such as PCI/SOX/CJIS and so on. 

Microsofts recommended password settings

These settings are from Microsoft’s Security Compiance Toolkit. This toolkit provides recommended GPO settings from Microsoft. 

  • Enforce Password History: 24
  • Maximum password age: not set
  • Minimum password age: not set
  • Minimum password length: 14
  • Password must meet complexity: Enabled
  • Store passwords using reversible encryption: Disabled

NOTE: Microsoft has dropped the password expiration policies starting with the 1903 security baseline. You can read more on this here

I think this is a good decision but some organizations will still need to follow specific guides (like PCI, SOX, CJIS). Hopefully, those will get updated soon. 

CIS Benchmark password settings

These settings are from the CIS Benchmarks. The center for internet security is a non for profit organization that develops security guidelines and benchmarks. 

  • Enforce Password History: 24
  • Maximum password age: 60 or fewer days
  • Minimum password age: 1 or more
  • Minimum password length: 14
  • Password must meet complexity: Enabled
  • Store passwords using reversible encryption: Disabled

Modify Default Domain Password Policy 

To modify the password policy you will need to modify the default domain policy. 

1. Open the group policy management console 

2.  Expand Domains, your domain, then group policy objects

3. Right click the default domain policy and click edit

4. Now navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy

5. Now double click one of the settings to edit. For example, I’ll double chick on minimum password length. 

I’m going to change this setting from 7 to 14 character and then click apply. 

Double click any other password policy setting to change. 

I hope you enjoyed this article. 

Do you have any questions? Let me know in the comments below. 

Recommended Tool: SolarWinds Server & Application Monitor

This utility was designed to Monitor Active Directory and other critical services like DNS & DHCP. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial Here

27 Comments

  1. Narayana on May 23, 2020 at 2:01 am

    Hi,

    Nice article and thanks for detailed explanation. The complexity criteria is defined as below
    “Contain characters from three of the following four categories:”
    Can this be changed to mandatory four categories?
    Please share your expert opinion

    Thanks

    • Robert Allen on May 24, 2020 at 2:01 am

      There is no native way in active directory to accomplish this. You would need to find a 3rd party tool that integrates with Active Directory password policy. I would suggest making the password length requirement longer rather than adding more complexity. Longer passwords are very effective and is now recommended by several security standards such as NIST. Its hard enough for end users to remember 3 mandatory categories adding another one will blow their minds. Set minimum password length to 15 and you will have a stronger password policy than most organizations.

      • Narayana on May 24, 2020 at 2:51 am

        Great.. Thanks a lot.

        • Robert Allen on May 24, 2020 at 3:48 pm

          No problem.

  2. Osee on May 28, 2020 at 7:14 pm

    So, once the ‘Password must meet complexity requirements’, does it prompts the user to change the passwords to meet this requirement at the next login?
    Thank you

    • Robert Allen on June 6, 2020 at 3:07 pm

      No, it will take effect when their password expires and they must change it.

  3. Tinker on July 20, 2020 at 9:11 am

    Hi ,

    If I change the minimum password length, how will it affect existing accounts?
    We have service account that i’m concern might be affected.

    • Robert Allen on August 11, 2020 at 1:01 am

      It should not affect accounts until their password expires. For example, user1 password doesn’t expire until 9/1 and you change the policy on 8/10, user1 would would remain unchanged until 9/1 when its password expires.

  4. Ben on July 21, 2020 at 8:28 pm

    Thank you so much

    • Robert Allen on July 23, 2020 at 11:22 pm

      No problem

  5. Don on August 14, 2020 at 12:24 pm

    Hi, Do you need to run any command after making some changes on the policy?

    • Robert Allen on August 14, 2020 at 5:06 pm

      The default group policy refresh interval is 90 minutes. You can run gpupdate /force on a computer to force a group policy update.

  6. George on August 31, 2020 at 4:19 am

    I changed a user password in AD, for a short period of time (probably about 10 mins) the old password would still work.
    Any idea what setting might cause that?

    • Robert Allen on September 19, 2020 at 4:30 pm

      Was the computer on the network with access to the domain controller? It’s possible the account was logging in with cached credentials. It could also be a replication issue and the password change had not replicated to all DCs yet. You can test for replication issues with the dcdiag command.

  7. Althaff Mahroof on September 2, 2020 at 6:07 am

    For example, I used September01 as a new password and it’s not accepting. Then I used September01# and that’s also not accepted. I used other passwords that meets this requirement and none of them are accepted.

    • Robert Allen on December 30, 2020 at 3:33 pm

      What are your password policy settings?

      You can check it with this ps command

      Get-ADDefaultDomainPasswordPolicy

  8. orazio on September 24, 2020 at 12:20 pm

    Hello, I need to improve that password with two consecutive equal characters are not allowed. There is a way to implement this kind of policy?

  9. Victor on November 18, 2020 at 6:24 am

    I set the password expiry date to 90 days, if the computer not connecting to local network (can’t find Active Directory) longer than 90 days, what would happen on the computer please?

  10. Matt Starland on December 3, 2020 at 2:25 pm

    Great article!

    If you update the password max age from 90 days to 365 days, does that proactively change the password expiration timestamp on everyone’s user accounts, or do they still expire on on their current scheduled expiration time stamp?

    For example, if my account’s password is set to expire on 12/24/2020, and I update the domain password max age policy from 90 to 365 days on 12/5/2020, my password will still expire on 12/24/2020 as currently scheduled, correct?

    • Robert Allen on December 4, 2020 at 10:06 pm

      Matt. Yes, that is correct.

      • AZZ on January 8, 2021 at 2:52 am

        I have set user account to ‘password never expires’ (flag the checkbox) but after some time, the user account having issue to login and found out that the user account is expired. When I check in Active Directory, the checkbox unflagged. Is there any setting that cause such scenario?

        • Robert Allen on January 30, 2021 at 3:31 pm

          Sounds like a replication issue. Do you have multiple DCs?

  11. Vlad Bettermann on December 14, 2020 at 1:53 pm

    How does affect the setting “min password length” the complexity requirements?

    For example:
    I have enabled the complexity rules in the AD, who has min pw length of 8 digits. An I set the min pw lenght to 6 digits. Which setting overrides the other?

  12. Mohd Rahul on February 21, 2021 at 8:07 am

    Thanks its works for me

Leave a Comment