Password Policy In Windows Server GPO

The one thing which makes Windows a very cool operating system for servers is Active Directory. Active Directory is a very powerful tool with the help of which we can manage tens of thousands of users in no time. Active Directory has a very cool component called Group Policy Management. commonly called as GPO. GPO is used to make various types of security policies for users and computers to save them from external threats. Today we will talk about one of the very popular security policies of GPO called Password Policy.

group policy management password policy

Path To Password Policy

Computer configuration-> Policies-> Windows Settings->Security Settings -> Account Policies -> Password Policy

Components Of Password Policy:

Under Password Policy, we can actually configure a number of settings as given below:

  1. Enforce Password History
  2. Maximum Password Age
  3. Minimum Password Age
  4. Minimum Password Length
  5. Password Complexity Requirements
  6. Store passwords using reversible encryption

Lets gather some knowledge on all the above policies.

1. Enforce Password History:

This policy determines the number of old passwords saved in the active directory. In this way, it helps to prevent users from using the old password again.

2. Maximum Password Age:

This policy sets the password expiration period in days. After the expiration of that time, it prompts the user to change the password. You must have seen many times some password change prompts in the system tray.

3. Minimum Password Age:

This policy describes how often users can change their password of AD. It is a minimum age of time the users should retain the password before changing it again.

4. Minimum Password Length:

How many characters you can use in your password is defined in this policy. Whatever the number you set be it 8, 10, 14, or 20. The user has to provide a password of equal to that character length while setting and resetting the password.

5. Password must meet complexity requirements:

In this policy, a user cannot use the account name in a password (not more than 2 symbols of a username or Firstname in a row), also 3 types of symbols must be used in the password: numbers (0–9), uppercase letters, lowercase letters, and special characters ($, #, %, etc.). Also, to prevent using weak passwords (from the password dictionary), it is recommended to regularly audit user passwords in the domain.

6. Store passwords using reversible encryption:

AD always stores the user passwords in encrypted form, but sometimes, apps need to be granted for these user passwords. For that this policy needs to be enabled although it makes the passwords less secure.

Other Useful Blogs :

Leave a Comment