How to Configure Password Policy

How to Configure Password Policy

Password policies define characteristics of passwords that are enforced by the system, such as the minimum number of characters in a password or how often the passwords must be changed. There are two ways to configure password policies:

Account Lockout and Password Policies

Account Lockout and Password policies control passwords and user lockout properties for the entire domain.

  • Password Policy settings control characteristics enforced for user passwords.

  • Account Lockout Policy settings control what happens when a user enters one (or more) incorrect passwords.

  • Policy settings are applied to the computer, not the user.

  • Although you can configure Account Policies settings in any GPO, only the settings configured in a GPO linked to the domain take effect.

The following list describes the password policy settings:

  • Enforce password history requires users to create unique passwords. Set this to a high number to keep users from frequently repeating passwords. Windows can remember up to 24 old passwords.A maximum password age must be configured for this setting to take effect.

  • Maximum password age requires the user to change the password after a given length of time. Setting this value to 0 means that the password never expires.

  • Minimum password age keeps users from changing passwords immediately after they've reset their passwords. This prevents users from defying the password history by initiating multiple password changes in a sequence to get back to their preferred password. The value must be less than the maximum age and should be a setting greater than 0. A setting of 0 allows the user to reset the password immediately.

  • Minimum password length prevents users from using passwords that are too short. At a minimum, enforce passwords of eight characters or longer.

  • Password must meet complexity requirements prevents using passwords that are easy to guess or easy to crack. This setting enforces the following:

    • Requires users to create a password with a minimum of three of the four types of special characters ( lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *).

    • Disallows the use of dictionary words or any part of the user login identification.

    • Requires that passwords be 6 characters long (or longer).

  • Store passwords using reversible encryption is, essentially, equivalent to storing plain-text passwords. This setting should be disabled unless a specific application requires access to the plain-text password.

The following list describes account lockout policy settings.

  • Account lockout duration determines the length of time the account will be disabled (in minutes). When the time period expires, the account will be unlocked automatically. When set to a value of 0, an administrator must unlock the account.

  • Account lockout threshold determines the number of attempts a user can make before the account is locked. A typical setting is 3.

  • Reset account lockout counter after determines the amount of time (in minutes) that must pass before the number of invalid attempts counter is reset.

Granular Password Policy

Granular password policies allow you to create password policies for users and global groups separate from the password policy applied to the entire domain. Using granular password policies, you could, for example, require administrators to use 14-character passwords while requiring only eight-character passwords for standard users.

In general, you should use Account Policies to enforce a domain-wide password policy. Then use granular password policies to enforce policies for groups of users that have more or less restrictive password policy needs than the domain-wide password policy.

You should know the following facts about granular password policies:

  • The domain must be running at the Windows Server 2008 domain functional level or higher.

  • Password policies affect only user account passwords, not computer account passwords.

  • Only members of the Domain Admins group can set granular password policies, but you can delegate the permission.

  • Granular password policies are saved as a Password Settings object (PSO) in the Password Settings container (PSC).

    • There is one default PSC. It cannot be renamed, deleted, or moved.

    • You can create additional PSCs, but they will not take effect.

    • The PSC holds one or more PSOs. You can define multiple PSOs with unique password policy settings.

  • PSOs have attributes for all of the settings that can be defined in the Default domain policy except Kerberos settings.

  • Policies can be applied to user accounts or global security groups.

    • Each granular policy can be applied to multiple users and/or groups.

    • Granular password policies affect only users within the current domain.

  • Policies are not enforced when applied to OUs, the domain, or other group types.

    • To apply a granular policy to all users within an OU, create a global security group that contains all OU members. Apply the policy to the group.

    • When you move a user account to a different OU, remember to also change the group membership so that the granular password policy no longer applies

Refer to the below video to understand more about the topic.


I hope you find it useful, let me know your thoughts on this in the comments. If you have any issues or questions about it, feel free to contact me. Thank you 🌟 for reading! like, share and subscribe to my newsletter for more! 💖

🔗Debasish Lenka

Did you find this article valuable?

Support Debasish Lenka by becoming a sponsor. Any amount is appreciated!