What Is & How to Set Up Domain Password Policy
An in-depth guide on everything about domain password policy
4 min. read
Updated on
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
Key notes
- Domain Password Policy defines the complexities a user should have in their password when setting up their account.
- As an admin, you should enforce such complex password policies to make sure that the passwords are harder to crack.
A password policy ensures that a user has created a strong password, which is less prone to cyber-attacks or impossible for hackers to crack down. A Domain Password Policy needs to be set up in the Active Directory to keep all the user accounts safe and secure. Well, there’s more to it.
This guide will explain the domain password policy and how to set it up. There are several aspects to keep in mind when setting up a domain password policy for user accounts, which we will cover right away.
What is the domain password policy?
The Active Directory (AD) is configured with a default domain password policy. This policy defines the password requirements for users’ accounts such as the password length, age, and so on.
So, basically, the complexity of the password is what the domain password policy determines and enforces users to follow the same guidelines.
A domain password policy is an Active Directory feature that forces all users to follow a set security policy to access the domain and its assets. Password policies are associated with the domain and can be tweaked using group policy.
There are six password policies that you can configure:
- Enforce Password History: This policy prevents users from creating the same passwords or reusing the old ones.
- Maximum Password Age: It defines the number of days a password can be used before it needs to be renewed.
- Minimum Password Age: It determines the minimum number of days a password can be used before it needs to be changed.
- Minimum Password Length: It defines the number of characters a user can use to create a password for their user account.
- Password Must Meet Complexity Requirements: You can enable or disable this feature and can define the user to create complex passwords based on guidelines.
- Store Passwords Using Reversible Encryption: Encrypted passwords are stored in the database and cannot be converted into plain text. So, you need to enable this feature to allow decrypting passwords, only for special cases.
How to set up a domain password policy?
1. Use PowerShell
- Open the Start menu by pressing the Win key.
- Type powershell and open it.
- Type the below command and press Enter.
Get-ADDefaultDomainPasswordPolicy
2. Use Group Policy Management
- Press the Win + R keys to open the Run dialogue.
- Type gpmc.msc and press Enter.
- Expand Domains.
- Expand your domain and then Group Policy Objects.
- Right-click the default domain policy and select Edit.
- Navigate to the below path.
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy
- Double-click on one of the settings on the right side to edit.
- For example, double-click the Minimum password length option and select 14 characters.
What other tools to use for password settings?
Apart from the default Windows password policies, you can use third-party tools to enhance the level of policies further and customize the Active Directory’s domain password policy, as per your business’s needs.
1. Password Audits
To avoid attacks on large password depositories, you can perform regular password audits to ensure that all your passwords are safe and secure.
For this purpose, we would suggest you make use of ManageEngine’s ADAudit Plus tool. It has a plethora of features among which some of the best are listed below:
- Continuously audits logon activity.
- Tracks login failures as well as login history.
- Receive real-time alerts regarding lockouts.
- Help find the root cause of lockouts.
- Monitor employees’ work hours.
- Insider threat detection and ransomware detection.
- Get full visibility to AD and GPO changes.
ManageEngine ADAudit Plus
A well-packaged tool for real-time auditing.2. Password policy enforcement
ManageEngine also offers another third-party tool to help you with the password policy enforcement task. We recommend using the ManageEngine ADSelfService Plus tool.
This package is available for Windows Server, Azure, and AWS platforms. It helps you create a single sign-on portal that enables users to access all of your domain’s apps and services with a single password.
Some of the best features of the ManageEngine ADSelfService Plus tool are:
- Self-password reset mechanism.
- Self-account unlocks mechanism.
- Web-based domain password change.
- Password policy enforcer.
- Multi-factor authentication for Windows, Linux, macOS, and cloud apps.
- Multiple factor authentication for VPNs.
- Notifies you about password expiration.
- Manage passwords right from your mobile.
- Follows security compliances including NIST, HIPAA, and PCI DSS with ADSelfService Plus.
ManageEngine ADSelfService Plus
A secure, trusted, and feature-packed password management program with a policy enforcement feature.With Microsoft Teams, you can also configure it to be HIPAA compliant especially, if you’re dealing with sensitive data.
Feel free to let us know in the comments below if this guide helped you understand the domain password policy and how you can set it up on your PC.
User forum
0 messages