Default Domain Policy password policies determine the complexity and minimum length of Active Directory domain passwords. Because the preconfigured default settings are suboptimal, many administrators decide to change the default policy settings. In this blog post I will carry out changing the default password settings, resetting the policies to their default state and configuring lockout policies.
Showing Password and Account Lockout Polices
The default settings can be found on a domain controller of your domain. Open gpmc.msc. Go to Domains – YourDomainName – Default Domain Policy.
The password and lockout polices can also be displayed with PowerShell.
If changes have already been made here, the Default Domain Policy can be restored with the command dcgpofix. All settings are then reset to the default settings. Keep in mind, that all settings will be restored, not only password and lockout policies.
Changing the Default Password Policy
Select Default Domain Policy and right-click Edit. Then navigate to
Computer Configuration – Policies – Windows Settings – Security Settings – Account Policies – Password Policy
In each of the settings you will also find a description. The explanations are excellent: Readers have a clear advantage.
Changing the Lockout Policy
To change the default lockout policy go to
Computer Configuration – Policies – Windows Settings – Security Settings – Account Policies – Account Lockout Policy
I strongly recommend changing these settings to avoid brute-force-attacks. Set the lockout threshold to anything but do not leave it 0.
Let’s say we have configured lockout to 3 invalid attempts, 30 minutes lockout duration and 30 minutes reset counter.
If an Active Directory user enters his password incorrectly more than 3 times, he is locked for 30 minutes and cannot log in ==> account lockout duration. If a user enters his password incorrectly 2 times, he must wait 30 minutes until he can try again 3 times ==> reset duration of the account lock counter.
Changing the Default Password and Lockout Policy with PowerShell
Enough of clicking inside a graphical interface. Below the minimum password length is changed to 9 characters and the maximum login attempts to 3 for the domain sid-500.com with a PowerShell one liner.
Set-ADDefaultDomainPasswordPolicy -Identity sid-500.com -MinPasswordLength 9 -LockoutThreshold 3
As you can see, changes are made instantly.
Configuring Password Polices for individual Users and Groups (Fine-grained-Password-Policies)
Did you know that you can set password policies for individual users or groups? If interested, see my blog post PowerShell: Configuring Fine Grained Password Policies (PSO)