Active Directory & Office 365 Reporting Tool

How to Setup and Manage Active Directory Password Policy. Organizations need a strong password policy now more than ever with the rise in cyberattacks throughout the globe. Sadly, hackers use users and administrators to access company networks, which results in security breaches and compliance failures. This article covers the development and upkeep of a solid and efficient Active Directory (AD) password policy.

Shall we start with How to Setup and Manage Active Directory Password Policy.

How to Setup and Manage Active Directory Password Policy

Before we start, let’s look at why we need to enforce strong passwords in our AD environment.

How Attackers Compromise Corporate Passwords

Enforcing strong Active Directory passwords is crucial for ensuring the security of your organization’s network. Attackers exploit weak or easily guessable passwords to gain unauthorized access to sensitive information, compromise user accounts, and carry out malicious activities such as data theft or sabotage. On the other hand, strong passwords make it much harder for attackers to crack or guess the password and gain unauthorized access.

Some of the methods adversaries employ to compromise corporate passwords:

  • Brute Force attack: Hackers utilize tools to enter numerous potential passwords for a particular user account until they find the one that works in a brute force attack.
  • Dictionary attack: This brute force attack involves testing dictionary words as potential passwords.
  • Password Spraying Attack: This attack uses many user accounts to test the effectiveness of common passwords, known as a “password spraying attack.”
  • Credential Surfing Attack: This attack uses automated systems to submit lists of credentials into numerous firm login sites are known as “credential stuffing attacks.”
  • Spidering: This attack is the practice of adversaries gathering as much information as they can about a target for hacking before testing out passwords made with that information.

Viewing and Editing the Active Directory Password Policy

Organizations require a robust Active Directory password policy to protect themselves against these threats. Password policies specify password creation criteria, such as the minimum length, complexity (such as if a special character is necessary), and the frequency of password changes.

Administrators set up a domain password policy using the Default Domain Policy Group Policy Object (GPO), which has settings that apply to all domain objects. See or modify this GPO by:

  1. Access the Group Policy Management Console (GPMC).
  2. Expand the Domains folder and select the domain for which you want to access the policy.

3. Click on Group Policy Objects.
4. Right click on the Default Domain Policy folder and select Edit.
5. Navigate to the Password Policy section under Computer Configuration, then navigate to Policies > Windows Settings > Security Settings > Account Policies.

Alternatively, we access our domain password policy by executing the following PowerShell command:


Remember that any modifications we make to a domain’s default password policy affect all its accounts. The Active Directory Administrative Center (ADAC) in Windows Server allows us to design and administer password policies with finer granularity. Moreover, we advise against establishing a new GPO and connecting the new policy to an OU.

Improve your Active Directory Security & Azure AD

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

Understanding AD Password Policy Settings

Understanding AD password policy settings is essential for any organization that wants to maintain a strong security posture and keep its sensitive data and resources safe. We have six password policy options listed below, along with their default values:

  • Enforce password history — Default value is 24. Determines how many unique passwords a user must generate before using a previous one. This policy reduces the risk of compromised passwords.
  • Maximum password age — Default is 42. Specifies the minimum duration before a user changes their password again. It prevents password reuse right away.
  • Minimum password age — Default value is one day. The length of a password before a user alters this parameter specifies it. A minimum age restriction prevents users from constantly changing their passwords to get around the “Enforce password history” setting and reuse a favoured password right away.
  • Minimum password length —Default value is 7. Determines the minimum number of characters for a password. Longer passwords are more secure but may lead to lockouts and security risks, if written down.
  • Complexity requirements — Default value is Enabled. Specifies the types of characters a password must include, such as uppercase or lowercase letters, numeric characters, and non-alphanumeric characters.
  • Store passwords using reversible encryption — Default value is Disabled. If enabled, attackers log into the network, if they crack the encryption.

Configuring Fine-Grained Password Policies

We only create one password policy for each domain in earlier AD iterations. However, administrators now define various password rules to better suit business needs thanks to fine grained password policies (FGPP). For instance, we should mandate that admin accounts use stronger passwords than standard user accounts. In addition, we must define our organizational structure thoughtfully, so it maps to our desired password policies.

While we define the default domain password policy within a GPO, we also set the FGPPs in password settings objects (PSOs). We need to change the default domain policy to modify the password policy.

From our last previous step, let’s try double clicking on the setting you want to modify, such as Minimum Password Length.

Password Policy Best Practice

To improve Active Directory security, following password policy best practices is recommended. In addition, we must also have an account lockout policy configured to lockout users after many failed login attempts. Below are the password policy best practices from the Microsoft, CIS, and NIST security benchmarks.

Microsoft Password Guidelines

These settings are from Microsoft’s Security Compiance Toolkit. This toolkit provides recommended GPO settings from Microsoft. 

  • Enforce Password History: 24
  • Maximum password age: not set
  • Minimum password age: not set
  • Minimum password length: 14
  • Password must meet complexity: Enabled
  • Store passwords using reversible encryption: Disabled

Note: Microsoft has dropped the password expiration policies starting with the 1903 security baseline.

CIS Benchmark Password Guidelines

These settings are from the CIS Benchmarks. The center for internet security is a non for profit organization that develops security guidelines and benchmarks. 

  • Enforce Password History: 24
  • Maximum password age: 60 or fewer days
  • Minimum password age: 1 or more
  • Minimum password length: 14
  • Password must meet complexity: Enabled
  • Store passwords using reversible encryption: Disabled

NIST SP 800-63 Password Guidelines

A federal organization called the National Institute of Standards (NIST) is responsible for issuing guidelines and specifications for managing digital IDs. Special Publication 800-63B covers the standards for strong passwords. The most recent version of SP 800-63B is Revision 3, released in 2017 and revised in 2019.

These recommendations give businesses a solid base to establish a vital infrastructure for password security. NIST offers the following suggestions:

  • Set a minimum password length of eight (8) characters for user-generated passwords and six for machine generated ones.
  • Allow users to create passwords up to a maximum size of 64 characters.
  • Permit the use of any ASCII/Unicode characters in passwords.
  • Prohibit passwords containing sequential (“12345” or “qwerty”) or repeated (“ffff”) characters.
  • Avoid requiring frequent password changes, as this result in users making easily guessable incremental changes to their passwords or writing them down. Instead, consider using banned password lists, promoting longer passphrases, and enforcing multi factor authentication (MFA) for added security, as recommended by the latest NIST 800-63B standards and recent research.

Microsoft, CIS, and NIST are all reputable organizations that guide password policy settings. Microsoft’s guidelines are based on best practices and recommendations for their software products, while CIS provides a benchmark for industry standard security configurations. NIST, on the other hand, provides detailed and up to date guidance on password policies that many organizations widely use.

It’s important to note that each guideline may have different recommendations based on various factors, including the organization’s size, industry, and specific security requirements. Therefore, it’s essential to review each guideline and select the one that aligns best with your organization’s needs.

Thank you for reading How to Setup and Manage Active Directory Password Policy. We shall conclude the article.

How to Setup and Manage AD Password Policy Conclusion

In conclusion, setting up and managing a password policy for Active Directory is crucial for ensuring the security of our organization’s network. By implementing a strong password policy and enforcing regular password changes, we reduce the risk of unauthorized access and protect sensitive information. Remember to choose a suitable password complexity, define account lockout and password expiration settings, and regularly review and update our password policy to keep up with evolving security threats.

With these best practices in place, we strengthen our organization’s security posture and safeguard against potential security breaches.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *