Managing password change cycles for user accounts in an Active Directory environment is a core component of security policy. This guide covers specific methods for configuring password change cycles through Group Policy Objects (GPO).

1. Basic Concepts of Windows Password Policy

Password Policy Types

Password policies in Active Directory are applied in two ways:

Key Password Policy Settings

2. GUI Configuration Method

Step 1: Launch Group Policy Management Console

gpmc.msc

Or Server Manager → Tools → Group Policy Management

Step 2: Access Policy Editor

1. Expand Forest → Domains → Domain Name
2. Right-click Group Policy Objects → Default Domain Policy
3. Select Edit

Step 3: Configure Password Policy

In the Group Policy Management Editor:

Computer Configuration
└── Policies
    └── Windows Settings
        └── Security Settings
            └── Account Policies
                └── Password Policy

Step 4: Individual Policy Configuration

Maximum Password Age Configuration

• Policy Item: “Maximum password age”
• Setting Value:
  • 0 = No expiration (recommended)
  • 1-999 = Specify number of days

Minimum Password Age Configuration

• Policy Item: “Minimum password age”
• Setting Value:
  • 0 = Immediate change allowed (recommended)
  • 1-998 = Specify number of days

3. PowerShell Configuration Method

Check Current Domain Password Policy

Get-ADDefaultDomainPasswordPolicy

Modify Domain Password Policy

# Set maximum password age to 0 (no expiration)
Set-ADDefaultDomainPasswordPolicy -MaxPasswordAge "00:00:00"

# Set minimum password age to 0 (immediate change allowed)
Set-ADDefaultDomainPasswordPolicy -MinPasswordAge "00:00:00"

# Set minimum password length to 14 characters
Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 14

# Set password history to 24 passwords
Set-ADDefaultDomainPasswordPolicy -PasswordHistoryCount 24

# Enable complexity requirements
Set-ADDefaultDomainPasswordPolicy -ComplexityEnabled $true

Check User Password Expiration Information

# Check single user password expiration date
(Get-ADUser -Identity "username" -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed' | 
ForEach-Object {[datetime]::FromFileTime($_)}

# Query all user password expiration dates
Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | 
Select-Object DisplayName, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

4. Fine-Grained Password Policies

Windows Server 2008 and later support different password policies for specific users/groups within a domain.

Configuration via Active Directory Administrative Center

Step 1: Launch ADAC

dsac.exe

Step 2: Create Fine-Grained Password Policy

1. Expand System container
2. Select Password Settings Container
3. Click New → Password Settings in the Tasks pane

Step 3: Policy Configuration

• Name: Policy identifier
• Precedence: Lower numbers have higher priority
• Password Settings: Configure according to individual requirements
• Directly Applies To: Specify users or groups

Fine-Grained Policy Management via PowerShell

Create New Policy

New-ADFineGrainedPasswordPolicy -Name "ExecutivePolicy" `
-ComplexityEnabled $true `
-LockoutDuration "00:30:00" `
-LockoutObservationWindow "00:02:00" `
-LockoutThreshold 5 `
-MaxPasswordAge "90.00:00:00" `
-MinPasswordAge "1.00:00:00" `
-MinPasswordLength 12 `
-PasswordHistoryCount 24 `
-Precedence 10

Apply Policy to Users/Groups

Add-ADFineGrainedPasswordPolicySubject -Identity "ExecutivePolicy" -Subjects "Executives"

Check Resultant Policy per User

Get-ADUserResultantPasswordPolicy -Identity "username"

5. Policy Application and Verification

Force Policy Update

gpupdate /force

Check Policy Application Status

# Check policy results on client
gpresult /r

# Generate detailed HTML report
gpresult /h "C:\gpresult.html"

Check Policy Replication on Domain Controller

repadmin /showrepl

6. Recommended Settings

Microsoft Recommendations (Windows 10 1903 and later)

Security-Enhanced Organization Settings

7. Troubleshooting

When Policy Application Fails

Cause 1: Domain Policy Location Issue

• Solution: Password policies are only effective in Default Domain Policy

Cause 2: Group Policy Inheritance Issues

# Check policy inheritance status
Get-GPInheritance -Target "OU=Users,DC=domain,DC=com"

# Check policy link status
Get-GPO -All | Where-Object {$_.GpoStatus -eq "AllSettingsEnabled"}

Cause 3: Policy Replication Delay

# Force immediate replication
repadmin /syncall /AdeP

Resolving Per-User Policy Conflicts

# Check final policy applied to user
Get-ADUserResultantPasswordPolicy -Identity "problematic_user"

# Adjust fine-grained policy precedence
Set-ADFineGrainedPasswordPolicy -Identity "PolicyName" -Precedence 5

Related Links

• Microsoft Learn – Fine-Grained Password Policies
• Active Directory PowerShell Module