Cyber Security

Active Directory: Changing Default Password and Lockout Policies

Default Domain Policy password policies determine the complexity and minimum length of Active Directory domain passwords. Because the preconfigured default settings are suboptimal, many administrators decide to change the default policy settings. In this blog post I will carry out changing the default password settings, resetting the policies to their default state and configuring lockout policies.

Showing Password and Account Lockout Polices

The default settings can be found on a domain controller of your domain. Open gpmc.msc. Go to Domains – YourDomainName – Default Domain Policy.

0.PNG

The password and lockout polices can also be displayed with PowerShell.


Get-ADDefaultDomainPasswordPolicy

2.png

Additional Note

If changes have already been made here, the Default Domain Policy can be restored with the command dcgpofix. All settings are then reset to the default settings. Keep in mind, that all settings will be restored, not only password and lockout policies.


dcgpofix /target:domain

3.png

Changing the Default Password Policy

Select Default Domain Policy and right-click Edit. Then navigate to

Computer Configuration – Policies – Windows Settings – Security Settings – Account Policies – Password Policy

4.png

In each of the settings you will also find a description. The explanations are excellent: Readers have a clear advantage.

5.png

Changing the Lockout Policy

To change the default lockout policy go to

Computer Configuration – Policies – Windows Settings – Security Settings – Account Policies – Account Lockout Policy

I strongly recommend changing these settings to avoid brute-force-attacks. Set the lockout threshold to anything but do not leave it 0.

bild6-1.png

Let’s say we have configured lockout to 3 invalid attempts30 minutes lockout duration and 30 minutes reset counter.

Unbenannt.PNG

Explanation:

If an Active Directory user enters his password incorrectly more than 3 times, he is locked for 30 minutes and cannot log in ==> account lockout duration. If a user enters his password incorrectly 2 times, he must wait 30 minutes until he can try again 3 times ==> reset duration of the account lock counter.

Changing the Default Password and Lockout Policy with PowerShell

Enough of clicking inside a graphical interface. Below the minimum password length is changed to 9 characters and the maximum login attempts to 3 for the domain sid-500.com with a PowerShell one liner.


Set-ADDefaultDomainPasswordPolicy -Identity sid-500.com -MinPasswordLength 9 -LockoutThreshold 3

As you can see, changes are made instantly.

unbenannt27.png

Configuring Password Polices for individual Users and Groups (Fine-grained-Password-Policies)

Did you know that you can set password policies for individual users or groups? If interested, see my blog post PowerShell: Configuring Fine Grained Password Policies (PSO)

Unbenannt.PNG

1 reply »

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.