{"id":5740,"date":"2019-09-28T17:32:01","date_gmt":"2019-09-28T17:32:01","guid":{"rendered":"http:\/\/activedirectorypro.com\/?p=5740"},"modified":"2023-11-03T11:57:46","modified_gmt":"2023-11-03T11:57:46","slug":"how-to-configure-a-domain-password-policy","status":"publish","type":"post","link":"https:\/\/activedirectorypro.com\/how-to-configure-a-domain-password-policy\/","title":{"rendered":"How To Configure a Domain Password Policy"},"content":{"rendered":"<div class=\"gb-grid-wrapper gb-grid-wrapper-6a63680b\">\n<div class=\"gb-grid-column gb-grid-column-3ae68448\"><div class=\"gb-container gb-container-3ae68448\"><div class=\"gb-inside-container\">\n\n<p>In this article, you will learn how to configure the Active Directory Domain password policy.&nbsp;<\/p>\n\n\n\n<p>The domain password policy is critical to ensure security and compliance in your organization.<\/p>\n\n\n\n<p>You will also learn:<\/p>\n\n\n\n<ul>\n<li><a href=\"#what-is-password-policy\">What is the default domain password policy<\/a><\/li>\n\n\n\n<li><a href=\"#understanding-password-policy\">Understand password policy settings<\/a><\/li>\n\n\n\n<li><a href=\"#best-practice\">Password policy best practices<\/a><\/li>\n\n\n\n<li><a href=\"#modify\">Modify the domain password policy&nbsp;<\/a><\/li>\n\n\n\n<li><a href=\"#faq\" data-type=\"internal\" data-id=\"#faq\">Frequently Asked Questions<\/a><\/li>\n<\/ul>\n\n<\/div><\/div><\/div>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"what-is-password-policy\">What is The Default Domain Password Policy?<\/h2>\n\n\n\n<p>By default, Active Directory is configured with a default domain password policy. This policy defines the password requirements for Active Directory user accounts such as password length, age, and so on.&nbsp;<\/p>\n\n\n\n<p>This password policy is configured by group policy and linked to the root of the domain. To view the password policy follow these steps:&nbsp;<\/p>\n\n\n\n<p>1. Open the group policy management console&nbsp;<\/p>\n\n\n\n<p>2.&nbsp; Expand Domains, your domain, then group policy objects<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"331\" height=\"363\" src=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-1.jpg\" alt=\"\" class=\"wp-image-5742\" srcset=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-1.jpg 331w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-1-274x300.jpg 274w\" sizes=\"(max-width: 331px) 100vw, 331px\" \/><\/figure>\n\n\n\n<p>3. Right click the default domain policy and click edit<\/p>\n\n\n\n<p>4. Now navigate to Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"839\" height=\"320\" src=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2.jpg\" alt=\"\" class=\"wp-image-5743\" srcset=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2.jpg 839w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2-600x229.jpg 600w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2-300x114.jpg 300w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2-768x293.jpg 768w\" sizes=\"(max-width: 839px) 100vw, 839px\" \/><\/figure>\n\n\n\n<p>You can also view the default password policy with Powershell using this command.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-ADDefaultDomainPasswordPolicy<\/pre>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"487\" height=\"237\" src=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-4.jpg\" alt=\"\" class=\"wp-image-5749\" srcset=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-4.jpg 487w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-4-300x146.jpg 300w\" sizes=\"(max-width: 487px) 100vw, 487px\" \/><\/figure>\n\n\n\n<p><strong>Important: <\/strong>The default password policy is applied to all computers in the domain. If you want to apply different password policies to a group of users then it is best practice to use <a href=\"https:\/\/activedirectorypro.com\/create-fine-grained-password-policies\/\">fine grained password policy<\/a>. Do not create a new GPO and link it to an OU, this is not recommended.&nbsp;<\/p>\n\n\n\n<p>You can also get the password policy using the AD Pro Toolkit&#8217;s built list of security reports. You can also report on the fine grained password policies and Domain Admins using old passwords. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"804\" height=\"404\" src=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/01\/check-default-domain-password-policy.webp\" alt=\"\" class=\"wp-image-36412\" srcset=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/01\/check-default-domain-password-policy.webp 804w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/01\/check-default-domain-password-policy-300x151.webp 300w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/01\/check-default-domain-password-policy-768x386.webp 768w\" sizes=\"(max-width: 804px) 100vw, 804px\" \/><\/figure>\n\n\n\n<p>You can try these reports out for free in your domain. <a href=\"https:\/\/activedirectorypro.com\/download-thank-you\/\" data-type=\"page\" data-id=\"19956\">Download a free trial<\/a> of the AD Pro Toolkit or check out the full list of included <a href=\"https:\/\/activedirectorypro.com\/reporting\/\" data-type=\"page\" data-id=\"34362\">Active Directory Reports<\/a>. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"understanding-password-policy\">Understand Password Policy Settings<\/h2>\n\n\n\n<p>Now that you know how to view the domain default password policy let&#8217;s look at the settings.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enforce password history:<\/h3>\n\n\n\n<p>This setting defines how many unique passwords must be used before an old password can be reused. For example, if my current password is &#8220;Th334goore0!&#8221; then I can&#8217;t reuse that password until I&#8217;ve changed my password 24 times (or whatever number the policy is set to). This setting is useful so users don&#8217;t keep reusing the same password.&nbsp; The default setting is 24&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Maximum password age:&nbsp;<\/h3>\n\n\n\n<p>This setting defines how long in days a password can be used before it needs to be changed. The default setting is 42 days<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Minimum password age<\/h3>\n\n\n\n<p>This setting determines how long a password must be used before it can be changed. The default setting is 1 day<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Minimum password length<\/h3>\n\n\n\n<p>This setting determines how many characters a password must have. The default is 7.&nbsp; This means my password must contain at least 7 characters.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Password must meet complexity requirements<\/h3>\n\n\n\n<p>If enabled passwords must meet these requirements:&nbsp;<\/p>\n\n\n\n<ul>\n<li>Not contain the user&#8217;s account name or parts of the user&#8217;s full name that exceed two consecutive characters<\/li>\n\n\n\n<li>Be at least six characters in length<\/li>\n\n\n\n<li>Contain characters from three of the following four categories:\n<ul>\n<li>English uppercase characters (A through Z)<\/li>\n\n\n\n<li>English lowercase characters (a through z)<\/li>\n\n\n\n<li>Base 10 digits (0 through 9)<\/li>\n\n\n\n<li>Non-alphabetic characters (for example, !, $, #, %)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>This is enabled by default<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Store passwords using reversible encryption<\/h3>\n\n\n\n<p>This setting determines if the operating system stores passwords using reversible encryption. This is essentially the same as storing plain text versions of passwords. This policy should NEVER be set to enabled unless you have some very specific application requirements.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"best-practice\">Password Policy Best Practices<\/h2>\n\n\n\n<p>To improve Active Directory security its recommended to follow password policy best practices. It is also very important that you have an <a href=\"https:\/\/activedirectorypro.com\/account-lockout-policy\/\" data-type=\"post\" data-id=\"33279\">account lockout policy<\/a> configured to lockout users after so many failed logon attempts. Below I list the password policy best practices from the Microsoft and CIS security benchmarks.  Also, your organization&#8217;s password policy may be driven by compliance\/regulation requirements such as PCI\/SOX\/CJIS and so on.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Microsofts recommended password settings<\/h3>\n\n\n\n<p>These settings are from <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=55319\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft&#8217;s Security Compiance Toolkit.<\/a> This toolkit provides recommended GPO settings from Microsoft.&nbsp;<\/p>\n\n\n\n<ul>\n<li>Enforce Password History: 24<\/li>\n\n\n\n<li>Maximum password age: not set<\/li>\n\n\n\n<li>Minimum password age: not set<\/li>\n\n\n\n<li>Minimum password length: 14<\/li>\n\n\n\n<li>Password must meet complexity: Enabled<\/li>\n\n\n\n<li>Store passwords using reversible encryption: Disabled<\/li>\n<\/ul>\n\n\n\n<p><strong>NOTE:<\/strong> Microsoft has dropped the password expiration policies starting with the 1903 security baseline. You can read more on this <a href=\"https:\/\/blogs.technet.microsoft.com\/secguide\/2019\/04\/24\/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a><\/p>\n\n\n\n<p>I think this is a good decision but some organizations will still need to follow specific guides (like PCI, SOX, CJIS). Hopefully, those will get updated soon.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CIS Benchmark password settings<\/h3>\n\n\n\n<p>These settings are from the <a href=\"https:\/\/www.cisecurity.org\/cis-benchmarks\/\" target=\"_blank\" rel=\"noopener noreferrer\">CIS Benchmarks<\/a>. The center for internet security is a non for profit organization that develops security guidelines and benchmarks.&nbsp;<\/p>\n\n\n\n<ul>\n<li>Enforce Password History: 24<\/li>\n\n\n\n<li>Maximum password age: 60 or fewer days<\/li>\n\n\n\n<li>Minimum password age: 1 or more<\/li>\n\n\n\n<li>Minimum password length: 14<\/li>\n\n\n\n<li>Password must meet complexity: Enabled<\/li>\n\n\n\n<li>Store passwords using reversible encryption: Disabled<\/li>\n<\/ul>\n\n\n\n<p>Related: <\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"modify\">Modify Default Domain Password Policy&nbsp;<\/h2>\n\n\n\n<p>To modify the password policy you will need to modify the default domain policy.&nbsp;<\/p>\n\n\n\n<p>1. Open the group policy management console&nbsp;<\/p>\n\n\n\n<p>2.&nbsp; Expand Domains, your domain, then group policy objects<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"331\" height=\"363\" src=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-1.jpg\" alt=\"\" class=\"wp-image-5742\" srcset=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-1.jpg 331w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-1-274x300.jpg 274w\" sizes=\"(max-width: 331px) 100vw, 331px\" \/><\/figure>\n\n\n\n<p>3. Right click the default domain policy and click edit<\/p>\n\n\n\n<p>4. Now navigate to Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"839\" height=\"320\" src=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2.jpg\" alt=\"\" class=\"wp-image-5743\" srcset=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2.jpg 839w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2-600x229.jpg 600w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2-300x114.jpg 300w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-2-768x293.jpg 768w\" sizes=\"(max-width: 839px) 100vw, 839px\" \/><\/figure>\n\n\n\n<p>5. Now double click one of the settings to edit. For example, I&#8217;ll double chick on minimum password length.&nbsp;<\/p>\n\n\n\n<p>I&#8217;m going to change this setting from 7 to 14 characters and then click apply.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"429\" height=\"519\" src=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-3.jpg\" alt=\"\" class=\"wp-image-5748\" srcset=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-3.jpg 429w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2019\/09\/configure-password-policy-3-248x300.jpg 248w\" sizes=\"(max-width: 429px) 100vw, 429px\" \/><\/figure>\n\n\n\n<p>Double click any other password policy setting to change.&nbsp;<\/p>\n\n\n\n<p>I hope you enjoyed this article.&nbsp;<\/p>\n\n\n\n<p>Do you have any questions? Let me know in the comments below.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"faq\">Frequently Asked Questions<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Can create multiple password policies? <\/h3>\n\n\n\n<p>No. You would need to use <a href=\"https:\/\/activedirectorypro.com\/create-fine-grained-password-policies\/\" data-type=\"post\" data-id=\"7031\">fine grained password policies<\/a> to create multiple password policies.  <\/p>\n\n\n\n<p>Each domain can only have one password policy and it must be linked to the root of the domain. The default domain policy by default includes a password policy. If you wish to define a new policy it should be linked to the root of the domain. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Can I create a password policy and link it to an OU? <\/h3>\n\n\n\n<p>No. <\/p>\n\n\n\n<p>Group policy password policies must be linked to the root of the domain. There can only be one GPO with the password policy and it must be linked to the root of the domain. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When I change a password policy setting will it immediately impact the users? <\/h3>\n\n\n\n<p>No. Password policy changes will go into effect when the user&#8217;s password expires. For example, if &#8220;Password must meet complexity requirements&#8221; is disabled and you enable it, the user will not be required to change their password until it expires. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to override the default domain password policy? <\/h3>\n\n\n\n<p>If you need to create a separate password policy for specific accounts, groups, or an OU you should use a fine grained password policy to override the default policy. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">We changed our password policy to expire from 90 days to 180 days but users are still expiring after 90 days instead of 180. Why? <\/h3>\n\n\n\n<p>The policy change from 90 days to 180 days is not immediate. The policy will go into effect the next time the user changes their password. This can be done by manually changing the user password or letting the current password policy expire. <\/p>\n\n\n\n<p>You can use our <a href=\"https:\/\/activedirectorypro.com\/reporting\/\" data-type=\"page\" data-id=\"34362\">Active Directory Reporting Tool<\/a> to generate a list of all users and their password expiration date. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"932\" height=\"494\" src=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/password-expiration-date-report-1.webp\" alt=\"\" class=\"wp-image-41904\" srcset=\"https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/password-expiration-date-report-1.webp 932w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/password-expiration-date-report-1-300x159.webp 300w, https:\/\/activedirectorypro.com\/wp-content\/uploads\/2023\/09\/password-expiration-date-report-1-768x407.webp 768w\" sizes=\"(max-width: 932px) 100vw, 932px\" \/><\/figure>\n\n\n\n<p>If you liked this post, you might also want to check out:<\/p>\n\n\n\n<ul>\n<li><a href=\"https:\/\/activedirectorypro.com\/check-password-complexity-requirements-active-directory\/\">How to check password complexity in Active Directory<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/activedirectorypro.com\/last-logon-time\/\" data-type=\"post\" data-id=\"412\">Get last logon date for list of users<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>What is The Default Domain Password Policy? By default, Active Directory is configured with a default domain password policy. This policy defines the password requirements for Active Directory user accounts such as password length, age, and so on.&nbsp; This password policy is configured by group policy and linked to the root of the domain. To &#8230; <a title=\"How To Configure a Domain Password Policy\" class=\"read-more\" href=\"https:\/\/activedirectorypro.com\/how-to-configure-a-domain-password-policy\/\" aria-label=\"More on How To Configure a Domain Password Policy\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":5751,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1835],"tags":[],"_links":{"self":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/5740"}],"collection":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/comments?post=5740"}],"version-history":[{"count":2,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/5740\/revisions"}],"predecessor-version":[{"id":41905,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/5740\/revisions\/41905"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media\/5751"}],"wp:attachment":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media?parent=5740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/categories?post=5740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/tags?post=5740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}