Cyber Security

Active Directory: Changing Default Password and Lockout Policies

Default Domain Policy password policies determine the complexity and minimum length of Active Directory domain passwords. Because the preconfigured default settings are suboptimal, many administrators decide to change the default policy settings. In this blog post I will carry out changing the default password settings, resetting the policies to their default state and configuring lockout policies.

Showing Password and Account Lockout Polices

The default settings can be found on a domain controller of your domain. Open gpmc.msc. Go to Domains – YourDomainName – Default Domain Policy.


The password and lockout polices can also be displayed with PowerShell.



Additional Note

If changes have already been made here, the Default Domain Policy can be restored with the command dcgpofix. All settings are then reset to the default settings. Keep in mind, that all settings will be restored, not only password and lockout policies.

dcgpofix /target:domain


Changing the Default Password Policy

Select Default Domain Policy and right-click Edit. Then navigate to

Computer Configuration – Policies – Windows Settings – Security Settings – Account Policies – Password Policy


In each of the settings you will also find a description. The explanations are excellent: Readers have a clear advantage.


Changing the Lockout Policy

To change the default lockout policy go to

Computer Configuration – Policies – Windows Settings – Security Settings – Account Policies – Account Lockout Policy

I strongly recommend changing these settings to avoid brute-force-attacks. Set the lockout threshold to anything but do not leave it 0.


Let’s say we have configured lockout to 3 invalid attempts30 minutes lockout duration and 30 minutes reset counter.



If an Active Directory user enters his password incorrectly more than 3 times, he is locked for 30 minutes and cannot log in ==> account lockout duration. If a user enters his password incorrectly 2 times, he must wait 30 minutes until he can try again 3 times ==> reset duration of the account lock counter.

Changing the Default Password and Lockout Policy with PowerShell

Enough of clicking inside a graphical interface. Below the minimum password length is changed to 9 characters and the maximum login attempts to 3 for the domain with a PowerShell one liner.

Set-ADDefaultDomainPasswordPolicy -Identity -MinPasswordLength 9 -LockoutThreshold 3

As you can see, changes are made instantly.


Configuring Password Polices for individual Users and Groups (Fine-grained-Password-Policies)

Did you know that you can set password policies for individual users or groups? If interested, see my blog post PowerShell: Configuring Fine Grained Password Policies (PSO)


1 reply »

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.