password is expiring – behind the scenes

password

Inside a fairly sized organisation all computers are connected to a domain using Active Directory which manages how computers and users should be organised, secured, connected. To maximize security the server admin does many tasks – Specifying how you should handle your password is one of them.

Default Password Policies in Active Directory

There are many settings available ranging from how you can specify your password to how many days password should expire. In active directory password policies are shown at Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies. The default Password Policy Settings are –

Policy Setting Default Setting Value
Enforce password history (number of unique new passwords that have to be associated with a user account before an old password can be reused) 24
Maximum password age 42 days
Minimum password age 1 day
Minimum password length 7
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Account lockout duration Not defined
Account lockout threshold 0
Reset account lockout counter after Not defined
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 days
Maximum lifetime for user ticket renewal 7 hours
Maximum tolerance for computer clock synchronization 5 minutes

What are Password Policies and How it Works

Users in a company are grouped into OU(Organisational Units) which are part of Domain. Password policies can be applied at Domain level and not OU. One of the misconception is that different OU can have different password policies which is not the case. All computers in domain will have same password policy. Server admins do it by below steps –

  1. Create a new GPO
  2. Link it to the Domain Level
  3. Give it Higher Precedence than the Default Domain Policy in the Group Policy Management tool.
  4. The settings in this new GPO will override the settings in the Default Domain Policy due to the higher precedence.

Though recently multiple password policies can be applied by using third-party product or using Fine-Grained Password Policies (FGPP) which does not use GPO mechanism to deployment of policies.

Known Facts about previous version of windows servers

  1. There was only one password policy applied for domain users in Active Directory domain.
  2. For every user in the Active Directory which are located in the Security Account Manager aka SAM on a server, Default Domain policy always defines Password Policies by default.
  3. Multiple Password policy was not possible to be configured for different users in the domain in an Organizational Unit aka OU.

Few tips for Server Admins for enforcing password policies to make it more secure

  • Set the Windows Server 2008 Domain Functional Level ( or latest installed server) while installing new Active Directory or upgrading from Server 2003 to 2008 domain.
  • You can view domain password policy in command Line by command net accounts.
  • Preventing users from changing passwords immediately, Minimum Password Age policy should be extended. Since Windows Server 2008 R2 stores upto 24 passwords in the passwords history, after which old used password can be used simultaneously.
  • Stored passwords using reversible encryption, if enabled, passwords might be stored in a plain text as well. This should only be enabled when organization uses any application that need to read the passwords.
  • Enable the Passwords Must Meet Complexity Requirements policy, to ensure more secured password with combination of complex characters.

With Anakage intelligent training technology it is easier to learn these concepts . It guides you step by step on your system. Above topic being discussed is also part of our “Learning Application” for Windows Active Directory. If you want to evaluate it let us know by sending a mail to us at enterprise@anakage.in . You can know more about our offering for training.

Leave a Reply

Your email address will not be published. Required fields are marked *