Configure and manage Active Directory - Administering Windows Server 2012 R2

Information Technology Reference

In-Depth Information

Coniguring domain user password policy

The domain user password policy applies to all users in the domain except where

specific Password Settings Objects (PSOs) have been assigned. You can set the Default

Domain Password Policy by using the Group Policy Management Console (GPMC) or the

Set-ADDefaultDomainPasswordPolicy cmdlet.

To set the Default Domain Password Policy by using the GPMC, follow these steps:

1. Open the GPMC and select Default Domain Policy in the Group Policy Objects

container for the domain.

Click the Settings tab to see the current settings.

2.

Right-click the Default Domain Policy and select Edit from the menu to open the

Group Policy Management Editor.

3.

4. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\

Account Policies\Password Settings.

The six settings are shown in Table 5-4.

TABLE 5-4 Default Domain Password Policy settings

Policy

Description

Enforce Password History

Sets the number of unique passwords associated with an account before

one can be repeated. Default is 24 in Windows Server 2012 R2. Minimum

value is 0; maximum is 24.

Maximum Password Age

Sets the maximum time a password can be used, in days. When set to

0, passwords never expire. Maximum value is 999 days. The value of

Maximum Password Age must be greater than the value of Minimum

Password age. The default value is 42 days.

Minimum Password Age

The minimum time between password changes, in days. If it is set to 0,

users can change passwords immediately after they have changed their

password. The Minimum Password Age must be set to less than the

Maximum Password Age unless the Maximum Password Age is set to 0,

meaning that passwords never expire. The default value is one day.

Minimum Password Length

Sets the minimum number of characters in a password. If set to 0, no

password is required. The minimum password length can be set from 0 to

14 characters. The default on domain controllers is 7 characters and 0 on

stand-alone servers.

Passwords Must Meet

Complexity Requirements

Enabled by default. When enabled, passwords must meet the following

requirements:

■ No more than two consecutive characters of the user's account

name or full name

■ At least six characters long

■ Contain characters from each of the four categories: uppercase

(A-Z), lowercase (a-z), digits (0-9), non-alphanumeric ($, #, %, !)

Store Passwords Using

Reversible Encryption

Disabled by default. When enabled, passwords are stored in plain text.

Some applications might require this setting, but should be enabled only

when security is less important than the application.

Administering Windows Server 2012 R2

Search WWH ::

Custom Search

Home