Inside a fairly sized organisation all computers are connected to a domain using Active Directory which manages how computers and users should be organised, secured, connected. To maximize security the server admin does many tasks – Specifying how you should handle your password is one of them.
Default Password Policies in Active Directory
There are many settings available ranging from how you can specify your password to how many days password should expire. In active directory password policies are shown at Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies. The default Password Policy Settings are –
|Policy Setting||Default Setting Value|
|Enforce password history (number of unique new passwords that have to be associated with a user account before an old password can be reused)||24|
|Maximum password age||42 days|
|Minimum password age||1 day|
|Minimum password length||7|
|Password must meet complexity requirements||Enabled|
|Store passwords using reversible encryption||Disabled|
|Account lockout duration||Not deﬁned|
|Account lockout threshold||0|
|Reset account lockout counter after||Not deﬁned|
|Enforce user logon restrictions||Enabled|
|Maximum lifetime for service ticket||600 minutes|
|Maximum lifetime for user ticket||10 days|
|Maximum lifetime for user ticket renewal||7 hours|
|Maximum tolerance for computer clock synchronization||5 minutes|
What are Password Policies and How it Works
Users in a company are grouped into OU(Organisational Units) which are part of Domain. Password policies can be applied at Domain level and not OU. One of the misconception is that different OU can have different password policies which is not the case. All computers in domain will have same password policy. Server admins do it by below steps –
- Create a new GPO
- Link it to the Domain Level
- Give it Higher Precedence than the Default Domain Policy in the Group Policy Management tool.
- The settings in this new GPO will override the settings in the Default Domain Policy due to the higher precedence.
Though recently multiple password policies can be applied by using third-party product or using Fine-Grained Password Policies (FGPP) which does not use GPO mechanism to deployment of policies.
Known Facts about previous version of windows servers
- There was only one password policy applied for domain users in Active Directory domain.
- For every user in the Active Directory which are located in the Security Account Manager aka SAM on a server, Default Domain policy always defines Password Policies by default.
- Multiple Password policy was not possible to be configured for different users in the domain in an Organizational Unit aka OU.
Few tips for Server Admins for enforcing password policies to make it more secure
- Set the Windows Server 2008 Domain Functional Level ( or latest installed server) while installing new Active Directory or upgrading from Server 2003 to 2008 domain.
- You can view domain password policy in command Line by command net accounts.
- Preventing users from changing passwords immediately, Minimum Password Age policy should be extended. Since Windows Server 2008 R2 stores upto 24 passwords in the passwords history, after which old used password can be used simultaneously.
- Stored passwords using reversible encryption, if enabled, passwords might be stored in a plain text as well. This should only be enabled when organization uses any application that need to read the passwords.
- Enable the Passwords Must Meet Complexity Requirements policy, to ensure more secured password with combination of complex characters.
With Anakage intelligent training technology it is easier to learn these concepts . It guides you step by step on your system. Above topic being discussed is also part of our “Learning Application” for Windows Active Directory. If you want to evaluate it let us know by sending a mail to us at firstname.lastname@example.org . You can know more about our offering for training.