Safeguarding sensitive data begins with securing user credentials. A well-defined Active Directory (AD) password policy plays a pivotal role in strengthening your organization's defenses against unauthorized access. By defining clear guidelines for the password complexity, length, expiration, and lockout thresholds, an AD password policy helps your organization maintain a strong security posture.
An AD password policy defines the rules users must follow when creating and managing their passwords within an AD environment. These rules include criteria such as the AD password complexity, length, expiration time, and lockout threshold. The default password policy ensures that organizations have a basic level of protection against unauthorized access.
Most organizations inadvertently expose themselves to cybercriminals through weak passwords, allowing unauthorized access to sensitive data. This weakens the organization's security defenses and can result in irreversible damage, often leading to steep costs in remediation and recovery efforts. By implementing a strong password policy in AD, organizations can:
An AD password policy includes the following key components:
| Setting | Description | Default value | Best practice |
|---|---|---|---|
| Enforce password history | This setting specifies how many unique, new passwords must be used before an old password can be reused. | 24 on domain controllers and 0 on stand-alone servers | Set this to 10 or more unique passwords to prevent users from reusing passwords. |
| Maximum password age | This setting controls the duration for which a password is valid before it needs to be changed. You can set passwords to expire after 1-999 days, or you can set them to never expire (0 days). If the maximum age is 1-999 days, the minimum age must be shorter. If the maximum age is 0, the minimum age can range from 0 to 998 days. | 42 days | If MFA is enabled, update passwords once a year. If MFA isn't enabled, set a limit of 30-90 days to ensure regular password updates. |
| Minimum password age | This setting specifies how long a password must be used before a user can change it. This period can range from 1 to 998 days, or you can set it to 0 for immediate changes. The minimum age must be less than the maximum age unless the maximum age is set to 0, which indicates that the passwords will never expire. | 1 day | Set this to a minimum of 1 day to prevent users from immediately changing their passwords. Configure the minimum password age to be more than 0 if you want the enforce password history setting to be effective. |
| Minimum password length | This setting determines the minimum number of characters required for a password. You can set a value from 1 to 14 characters to require a password, or you can set a value of 0 for no password requirement. | 7 characters on domain controllers and 0 characters on stand-alone servers | Set this to 12 or more characters. |
| Minimum password length audit | This setting enables administrators to audit password changes that would violate a potential new minimum password length policy before enforcing it. This can be set to any value from 1 to 128. If this setting is less than or equal to the minimum password length, no audit events will occur. If it is greater than the minimum password length, and a new password is shorter than this setting, an audit event will be triggered. | 1 | Keep the auditing policy enabled and configure the settings when evaluating the potential impact of increasing the minimum password length in your environment. |
| Password must meet complexity requirements | This setting enforces password complexity. If enabled, passwords must:
|
Enabled on domain controllers and disabled on stand-alone servers | Enable this setting and ensure all the requirements are satisfied. |
| Store passwords using reversible encryption | This determines if the OS will use reversible encryption for storing passwords. | Disabled | Disable this setting. Reversible encryption is less secure and can expose passwords if the encryption key is compromised. |
A fine-grained password policy allows administrators to create and apply different password policies for specific users or groups within the same domain. While the default domain password policy might apply to the majority of employees, privileged users, such as administrators who have access to sensitive information, might require more stringent password settings. By customizing policies based on user roles and responsibilities, organizations can balance security and usability.
ADSelfService Plus is an identity security solution that provides self-service password management to help organizations implement and protect their AD password policy. The Password Policy Enforcer allows you to set stringent password rules, preventing risks from weak or compromised passwords .
ADSelfService Plus also tracks users' password history, manages account lockouts, sends password expiration notifications, and offers audit and reporting capabilities. In addition to these features, ADSelfService Plus provides adaptive MFA with support for a wide range of authenticators. It offers MFA for endpoints, cloud and on-premises applications, VPNs, and Outlook on the web.
The AD password rule refers to a set of requirements a user must follow when creating or changing passwords in AD. These requirements include the minimum length, complexity, password history, expiration time, and lockout settings.
An AD password is a password a user creates to authenticate themselves within an AD environment. This password must comply with the organization’s defined password policy settings for the user to access network resources and services.
The length of an AD password depends on the policy. The default length is seven characters, but the length can go up to 127 characters. The best practice is to use at least 12 characters.
To enforce a password change every 90 days in AD, configure the Group Policy settings:
Changing passwords every 90 days helps mitigate the risk of compromised credentials by limiting the time an attacker can use stolen passwords. However, it is recommended that you change passwords based on risk events rather than a fixed schedule.
