Active Directory Password Policy – The Complete Guide

A simple (non-complex) Active Directory password (AD) is vulnerable to hacking and exploitation. Requiring complex passwords in your Active Directory password policy increases the effectiveness of passwords exponentially – each additional special character you require in your users’ passwords makes them ultimately impervious to brute-force attacks.

Going back to the 2000s, Excel’s simple workbook-protected passwords could be brute-forced in the time it takes to click ‘Go’. Even today, hackers with standard equipment can brute force a complex, 7-character password in 7 seconds. But, how about adding 4 characters to it…3 years! A 15-character complex password – 77 million years! Please read this carefully and dutifully to protect your organization’s assets.

What is the default password policy in Active Directory?

When you install the first domain controller (DC) in a domain (not necessarily in a forest), a ‘Default Domain Policy‘ Group Policy Object (GPO) is created. Within this policy lies the default domain password policy for ‘all’ accounts in that domain (there are some minor exceptions). This constitutes the password requirements for your users.

Here are the six settings and what their default attributes are. I’ll explain each setting later on in this article.

• Enforce password history – The default is 24.
• Minimum password age – The default for this is one day.
• Maximum password age – The default for this setting is 42 days.
• Minimum password length – The default is 7.
• Complexity requirements – The default value is Enabled.
• Store passwords using reversible encryption – The default for this is Disabled.

In Active Directory, at which level can you assign the password policy?

If you’re thinking ‘Why do I only get to assign one password policy for all my users in the ‘Default Domain Policy’ object?’, don’t worry – you can use what are called Fine-Grained Password Policies (FGPP).

Prior (legacy) versions of AD only allowed one password policy per domain. If you wanted any granularity, you needed to create a child domain and store your users and password policy there. But in 2008, Microsoft introduced Fine-Grained Password Policies (FGPP) with Windows Server 2008. This allows admins to offer multiple password policies (and account lockout policies) to varying users.

You may want to have a special, more strict password policy for all of your admin or privileged accounts.

• To access them, open the Active Directory Administration Center (ADAC) and browse to your domain -> System -> Password Settings Container. I’ll give you more details later on.

How to check password policy in Active Directory

There are a few ways to check your password policy in Active Directory. Let me show you the quickest, simplest way – you guessed it…PowerShell!

Type this single cmdlet from your PowerShell window or Terminal app

Get-AdDefaultDomainPasswordPolicy

I included the default settings above and you can see very similar results here. I will go into more detail soon.

How to set password policy in Active Directory

As I mentioned, the ‘Default Domain Policy‘ GPO stores many settings including these password policy attributes.

• To access them, open the ‘Group Policy Management‘ console from the Start menu or the Windows Tools category.

• Under your DNS domain name (reinders.local in my case), find the ‘Default Domain Policy‘ object, right-click on it, and choose Edit.
• Browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.

Look familiar? It should – here are the settings we’ve already been introduced to.

• Simply double-click on each policy setting, click the ‘Explain‘ tab on top to refresh your memory on the policy descriptions, and then make the necessary changes for your specific use case.

Enforce password history

This setting defines how many old passwords are stored and remembered for each user. When they’ve reset their password this number of times, they won’t be able to reuse any of them at their next password reset session. Simple change the number of passwords remembered in the policy setting.

Maximum password age

This setting dictates how long a password can be used until it needs to be reset. Although the default is 42 days, recent recommendations have changed. For example, NIST recommends avoiding regular password resets and instead employing complex and longer passwords (15 characters or more). In addition, user-proposed passwords should be checked against banned password lists. I’ll explain those further below.

Minimum password age

This setting tells you how long a password needs to be in effect until it can be reset again. If this is set to 3 days, after a user resets their password, they won’t be able to reset it again until 3 days have passed.

Minimum password length

This sets the minimum number of letters and numbers the password will be. The default of ‘7’ should rarely if ever be used. Double this at least. Plus, encourage your users to use passphrases when creating their passwords. Instead of a random 15 or 20-character password made up of numbers, letters, and special symbols, use a password like ‘myfavoritevacationwasmteverest’. Even though I am only using lowercase letters, this is a much more robust password that would take CENTURIES to be brute-forced.

Password must meet complexity requirements

This is a simple toggle – Enable this to require a strong password (using 3 of the 4 character type categories: lowercase letters, uppercase letters, numbers, non-alphanumeric – special characters), or Disable this (please don’t) to allow simple passwords. Simple passwords are very susceptible to brute force attacks by hackers.

Store passwords using reversible encryption

This security setting determines whether the operating system stores passwords using reversible encryption. The default is Disabled. Only special use cases would require this functionality.

What is Fine-Grained Password Policy?

A Fine-Grained Password Policy (FGPP) is a specific password policy designed to accommodate varying types of users with varying complexities. As I mentioned above, you can manage these in the Active Directory Administrative Center under the System -> Password Settings Container area.

You can also use PowerShell, of course.

Use ‘New-ADFineGrainedPasswordPolicy‘ to create a new policy and ‘Get-ADFineGrainedPasswordPolicy‘ to view existing policies. Then use ‘Add-ADFineGrainedPasswordPolicySubject‘ to ‘assign’ the policies to specific Users and/or Groups in your domain.

Best practices – AD password policy

There are many reasons to make sure you’ve set your organization’s password policies to be secure and robust. Other compliance protocols and initiatives may also contribute to spending more time on this subject. Let me provide you with a good list of recommended practices for setting up these policies.

1. Set your minimum password length to 12 (or more). Each time you increase this setting you geometrically increase the security of these passwords, making it harder for hackers to guess them.
2. Change the minimum password age to 3 or 4 days. This deters users from ‘using up all of their old passwords’ so they can recycle them.
3. Enforce a password history of 10 passwords. There’s no reason to allow any more than this number.
4. Utilize banned password lists, password dictionaries, and other breached lists to avoid the use of vulnerable passwords in your org. You can use this Microsoft Entra on-premises Password Protection website to learn more.
5. Look into 3rd-party password management tools like CyberArk for the administrative functions and processes your IT Pros and admins carry out daily. I have used CyberArk and highly recommend it. As an example, IT Pros log into a secure webpage to access their passwords in their ‘CyberArk’ vault. Various settings including having each password reset every 9 hours is a wonderful way to circumvent hackers in your company.
6. Require AD-privileged accounts (Enterprise Admin, Domain Admin, Schema Admin) to have a minimum password length of 25 characters (or more).
7. Set up email notifications to be sent to users x days before a password expiration.
8. Create a thorough and encompassing ‘User Security Training’ program so all of your users understand the importance of not writing down passwords, using password phrases instead of common words, etc.
9. Discourage users from using the same password for multiple applications and websites. Inform them if hackers infiltrate a user’s single password, said hacker would be able to access all of their accounts with minimal effort!

Another best practice I highly recommend is downloading Microsoft’s latest security baselines from the Microsoft Security Compliance Toolkit website. Browse the website for additional information.

To download the kit for specific versions of Windows client and server, navigate to the Microsoft Download Center, choose Download, and choose your specific version. This includes the latest guidance on best practices for establishing password policies and FGPP in your organization.

Benefits of strong password policies

Implementing strong password policies in AD provides a fundamental ‘ground floor’ for security models in your enterprise. Here are some of the top reasons and benefits of incorporating strong password policies in Active Directory.

• Reduced Risk of Data Breaches – Having regular password changes helps minimize compromised credentials being used against your employees, and your bottom line.
• Enhanced Security – Cyberattacks are much less likely in your future if your strong password policies are in place. By enforcing complex passwords that are nearly impossible to guess, you drastically reduce the likelihood of unauthorized access in to your systems.
• Regulation Compliance – Many industries need to adhere to regulatory bodies, and standards such as GDPR, HIPAA, and PCI-DSS. Included in the requirements for these bodies are strong and complex password policies. This is an easy win for maintaining compliance and even cyber insurance.
• Improved User Accountability – Deterring unauthorized access with a strong password policy and account lockout mechanisms helps identify potential security threats by tracking failed login attempts.

How to validate and monitor password policy in AD

Let me recap the various tools you can use to validate and manage your Active Directory password policies.

Group Policy Management Console

Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy to view and edit each password policy in your domain.

PowerShell

Use ‘Get-ADDefaultDomainPasswordPolicy’ to view the current password policy in your default domain policy.

You can also use ‘Get-ADFineGrainedPasswordPolicy’ to examine your current FGPPs.

Active Directory Administrative Center

Use this tool to browse to your domain, then System, then Password Settings Container to view and manage your Fine-Grained Password Policies (FGPP).

Local Security Policy Tool

On any domain-joined computer, you can run ‘secpol.msc’ to use the Local Security Editor and browse to Account Policies -> Password Policy.

There are also a variety of methods to monitor and audit related events surrounding password policies.

Audit policies

You can enable auditing for account management activities.

• In the Group Policy Management Console (GPMC), browse to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy. Here you can define auditing for Success and Failure statuses.

Event Viewer logs

Monitor Event IDs 4723 and 4724 for any password changes in the Security logs in Event Viewer.

You should also set up notifications for specific events, maybe during certain times of the day or week, to remain vigilant on critical changes to passwords.

Third-party tools

There are a wide variety of third-party software tools and solutions that enable you to focus more on your business and let them take care of your important password policies.

Examples include CrowdStrike, SolarWinds, Netwrix, ManageEngine, and Lepide.