Active Directory Password Policy: Guide and Best Practices

What is the Active Directory Default Password Policy?

In order to protect against these attacks, organizations must have a robust password policy for their Active Directory. This policy establishes guidelines for creating passwords, including minimum length, complexity (such as the inclusion of special characters), and the duration before the password must be changed. By default, Active Directory comes with a preset domain password policy that sets the requirements for user accounts, including password length, age, and other factors.

How to Configure the Domain Password Policy

To configure the domain password policy, administrators can use the Default Domain Policy, a Group Policy object that affects all objects within the domain. To access and edit this policy, the Group Policy Management Console (GPMC) must be opened. The policy can be found under:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.

Alternatively, the domain password policy can be accessed through PowerShell by running the command “Get-ADDefaultDomainPasswordPolicy”.

It’s important to note that any changes made to the default password policy will apply to all accounts within the domain. Administrators also have the option to create and manage more specific password policies using the Active Directory Management Center (ADAC) in Windows Server.

Default Password Policy Settings

The following are the six default password policy settings and their default values:

Enforce password history: The default value is 24. This setting determines the number of unique passwords users must create before reusing an old password. It is recommended to keep the default value to minimize the risk of compromised passwords.

Maximum password age: The default value is 42. This setting specifies the duration a password can exist before the system prompts the user to change it. Users usually receive a warning when nearing the password expiration. It is possible to check this setting through PowerShell with the command “net user USERNAME/domain”. It is generally not advisable to set the value to 0, as it means passwords will never expire.

Minimum password age: The default value is 1 day. This setting determines how long a password must exist before the user can change it. Setting a minimum age prevents users from constantly resetting their password to bypass the “Enforce password history” setting and immediately reuse a preferred password.

Minimum password length: The default value is 7. This setting establishes the minimum number of characters required for a password. While shorter passwords are easier for hackers to crack, setting a very long minimum length can lead to typos and users resorting to writing down their passwords. It is recommended to have a minimum password length of at least 8 characters.

Complexity requirements: The default value is Enabled. This setting specifies the character types that must be included in a password. Although it was previously recommended to enable this setting, current best practices prioritize password length over complexity or frequent changes. Complexity requirements typically include a combination of uppercase letters, lowercase letters, numbers, and non-alphanumeric characters. Additionally, it restricts the usage of no more than two symbols from the user’s account name or display name.

Store passwords using reversible encryption: The default value is Disabled. This setting is designed for applications that require users to enter a password for authentication. Administrators should keep this setting disabled as enabling it would allow attackers who know the encryption method to log into the network after compromising an account. There are exceptions, such as enabling this setting for Internet Authentication Services (IAS) or the Challenge Handshake Authentication Protocol (CHAP).

What is Fine-Grained Password Policy (FGPP)?

Older versions of AD allowed the creation of just one password policy for each domain. The introduction of fine-grained password policies (FGPP) has made it possible for admins to create multiple password policies to better meet business needs. For example, you might want to require admin accounts to use more complex passwords than regular user accounts. It’s important that you define your organizational structure thoughtfully so it maps to your desired password policies. While you define the default domain password policy within a GPO, FGPPs are set in password settings objects (PSOs). To set them up, open the ADAC, click on your domain, navigate to the System folder and then click on the Password Settings Container.

NIST SP 800-63 Password Guidelines

The National Institute of Standards (NIST) is a government agency responsible for establishing rules and guidelines for managing digital identities. Special Publication 800-63B outlines the standards for passwords. The current standard is Revision 3 of SP 800-63B, which was issued in 2017 and updated in 2019. These guidelines serve as a basis for organizations to create a strong password security infrastructure. NIST recommendations include: requiring user-generated passwords to be at least 8 characters (6 for machine-generated), allowing passwords up to 64 characters, permitting the use of any ASCII/Unicode characters, prohibiting sequential or repeated characters in passwords, and discouraging frequent password changes. The latest NIST 800-63B standards emphasize the careful use of password expiration policies as research shows that alternatives like banned password lists, longer passphrases, and multi-factor authentication (MFA) provide better security.

Active Directory Password Policy Best Practices

Below is a summary of AD password policy best practices:

• Implement a minimum password length of 8 characters.
• Enforce a password history policy that checks the last 10 passwords used by a user.
• Set a minimum password age of 3 days to prevent users from quickly cycling through previous passwords.
• Use banned password lists, breached password lists, and password dictionaries to check the strength of proposed new passwords.
• Reset local admin passwords every 180 days using an automated password reset tool.
• Change device account passwords at least once per year.
• Ensure domain admin account passwords are at least 15 characters long.
• Implement email notifications to alert users when their passwords are about to expire using an automated password expiration reminder tool.
• Create granular password policies for specific organizational units instead of modifying the Default Domain Policy.
• Utilize password management tools to securely store passwords.
• Enable users to change passwords via a web browser and provide guidance on selecting strong passwords.
• Implement account lockout policies to prevent brute force attacks.
• Emphasize the importance of not writing down passwords.
• Encourage users to enter passwords discreetly, without anyone watching.
• Educate users on the significance of distinguishing between “HTTPS://” and “HTTP://” in URLs for enhanced security.
• Discourage the use of the same password for multiple websites accessing sensitive information.

How Lepide Helps Secure Active Directory Passwords

The Lepide Data Security Platform will give you complete visibility into passwords that never expire. With customizable, automated emails, Lepide notifies users about their password expiry date, reminding them to reset their passwords. Follow-up notifications are also available for users who fail to take immediate action.

By identifying and addressing passwords that never expire, Lepide helps reduce the potential threat surface area. Detailed reports can be generated in seconds, providing an overview of expired passwords, upcoming password expirations, logon failures, account lockouts, and more. These reports can be conveniently delivered via email and exported in common formats.

The Lepide Data Security Platform includes a module called Account Lockout Investigator, which helps IT administrators identify the cause of account lockouts in real time. This tool simplifies and speeds up the investigation process, allowing administrators to unlock user accounts directly from the tool. Additionally, it helps fulfill service level agreements by identifying lockouts related to service accounts.

If you’d like to see how the Lepide Data Security Platform can help you manage your Active Directory password policy, schedule a demo with one of our engineers or start your free trial today.