Hayden

Managing password change cycles for user accounts in an Active Directory environment is a core component of security policy. This guide covers specific methods for configuring password change cycles through Group Policy Objects (GPO).

 

1. Basic Concepts of Windows Password Policy

Password Policy Types

Password policies in Active Directory are applied in two ways:

Policy Type Scope Characteristics
Domain Policy Entire domain Applied collectively through Default Domain Policy
Fine-Grained Policy Specific users/groups Supported in Windows Server 2008 and later

Key Password Policy Settings

Setting Description Recommended Value
Maximum password age Cycle when password change is enforced (days) Not configured (0)
Minimum password age Period preventing password change after modification (days) Not configured (0)
Minimum password length Minimum number of password characters 14 characters
Enforce password history Number of previous passwords to prevent reuse 24 passwords
Complexity requirements Combination of upper/lower case, numbers, special characters Enabled

 

 

2. GUI Configuration Method

Step 1: Launch Group Policy Management Console

gpmc.msc

Or Server Manager → Tools → Group Policy Management

Step 2: Access Policy Editor

  1. Expand ForestDomainsDomain Name
  2. Right-click Group Policy ObjectsDefault Domain Policy
  3. Select Edit

Step 3: Configure Password Policy

In the Group Policy Management Editor:

Computer Configuration
└── Policies
    └── Windows Settings
        └── Security Settings
            └── Account Policies
                └── Password Policy

Step 4: Individual Policy Configuration

Maximum Password Age Configuration

  • Policy Item: “Maximum password age”
  • Setting Value:
    • 0 = No expiration (recommended)
    • 1-999 = Specify number of days

Minimum Password Age Configuration

  • Policy Item: “Minimum password age”
  • Setting Value:
    • 0 = Immediate change allowed (recommended)
    • 1-998 = Specify number of days

 

 

3. PowerShell Configuration Method

Check Current Domain Password Policy

Get-ADDefaultDomainPasswordPolicy

Modify Domain Password Policy

# Set maximum password age to 0 (no expiration)
Set-ADDefaultDomainPasswordPolicy -MaxPasswordAge "00:00:00"

# Set minimum password age to 0 (immediate change allowed)
Set-ADDefaultDomainPasswordPolicy -MinPasswordAge "00:00:00"

# Set minimum password length to 14 characters
Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 14

# Set password history to 24 passwords
Set-ADDefaultDomainPasswordPolicy -PasswordHistoryCount 24

# Enable complexity requirements
Set-ADDefaultDomainPasswordPolicy -ComplexityEnabled $true

Check User Password Expiration Information

# Check single user password expiration date
(Get-ADUser -Identity "username" -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed' | 
ForEach-Object {[datetime]::FromFileTime($_)}

# Query all user password expiration dates
Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | 
Select-Object DisplayName, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

 

 

4. Fine-Grained Password Policies

Windows Server 2008 and later support different password policies for specific users/groups within a domain.

Configuration via Active Directory Administrative Center

Step 1: Launch ADAC

dsac.exe

Step 2: Create Fine-Grained Password Policy

  1. Expand System container
  2. Select Password Settings Container
  3. Click NewPassword Settings in the Tasks pane

Step 3: Policy Configuration

  • Name: Policy identifier
  • Precedence: Lower numbers have higher priority
  • Password Settings: Configure according to individual requirements
  • Directly Applies To: Specify users or groups

Fine-Grained Policy Management via PowerShell

Create New Policy

New-ADFineGrainedPasswordPolicy -Name "ExecutivePolicy" `
-ComplexityEnabled $true `
-LockoutDuration "00:30:00" `
-LockoutObservationWindow "00:02:00" `
-LockoutThreshold 5 `
-MaxPasswordAge "90.00:00:00" `
-MinPasswordAge "1.00:00:00" `
-MinPasswordLength 12 `
-PasswordHistoryCount 24 `
-Precedence 10

Apply Policy to Users/Groups

Add-ADFineGrainedPasswordPolicySubject -Identity "ExecutivePolicy" -Subjects "Executives"

Check Resultant Policy per User

Get-ADUserResultantPasswordPolicy -Identity "username"

 

 

5. Policy Application and Verification

Force Policy Update

gpupdate /force

Check Policy Application Status

# Check policy results on client
gpresult /r

# Generate detailed HTML report
gpresult /h "C:\gpresult.html"

Check Policy Replication on Domain Controller

repadmin /showrepl

 

 

6. Recommended Settings

Microsoft Recommendations (Windows 10 1903 and later)

Setting Recommended Value Reason
Enforce password history 24 passwords Prevent reuse of previous passwords
Maximum password age Not configured (0) Concerns about weak password selection when forced to change
Minimum password age Not configured (0) Improve user convenience
Minimum password length 14 characters Ensure sufficient complexity
Complexity requirements Enabled Generate strong passwords
Store passwords using reversible encryption Disabled Ensure security

Security-Enhanced Organization Settings

Setting Enhanced Value Target
Minimum password length 16 characters Administrator accounts
Maximum password age 60 days Privileged users
Account lockout threshold 3 attempts All users
Account lockout duration 30 minutes All users

 

 

7. Troubleshooting

When Policy Application Fails

Cause 1: Domain Policy Location Issue

  • Solution: Password policies are only effective in Default Domain Policy

Cause 2: Group Policy Inheritance Issues

# Check policy inheritance status
Get-GPInheritance -Target "OU=Users,DC=domain,DC=com"

# Check policy link status
Get-GPO -All | Where-Object {$_.GpoStatus -eq "AllSettingsEnabled"}

Cause 3: Policy Replication Delay

# Force immediate replication
repadmin /syncall /AdeP

Resolving Per-User Policy Conflicts

# Check final policy applied to user
Get-ADUserResultantPasswordPolicy -Identity "problematic_user"

# Adjust fine-grained policy precedence
Set-ADFineGrainedPasswordPolicy -Identity "PolicyName" -Precedence 5

 

 

Related Links

 

Post Views: 17

Leave a Reply