Information Technology Reference
In-Depth Information
Account Policies must be linked to the domain for these policies to have any effect. If a GPO
linked to an OU has settings configured in Account Policies, they are essentially ignored so that
all account policies are in GPOs linked to the domain. The Default Domain Policy is configured
with default account policies settings, and many administrators keep all account policies in this
GPO. Account Policies contains three subnodes:
•
Password Policy
—Contains the following policies that control password properties:
• Enforce password history: Contains a value between 0 and 24 (the default), which indi-
cates how many passwords Windows remembers before a user can reuse a password.
A value of 0 means Windows doesn't keep a password history. To keep users from chang-
ing their password many times in succession to skirt this policy, you should set the
Minimum password age policy.
• Maximum password age: A value between 0 and 999 indicates how many days a user
can use a password before having to change it. If a user doesn't change his or her pass-
word within the required number of days, the password expires and the user can't log on
until the password is changed. A value of 0 means the password never expires. The
default is 42 days.
• Minimum password age: A value between 0 and 998 indicates how many days must
elapse before a user can make successive password changes. A value of 0 means users
can change their passwords as often as they want. The default is 1.
• Minimum password length: A value between 0 and 14 indicates the minimum number
of characters a user's password must be. A 0 means blank passwords are allowed. The
default is 7.
• Password must meet complexity requirements: If enabled (the default setting), a user's
password must meet certain requirements: at least six characters (or meeting the
Minimum password length policy, whichever is longer); doesn't contain more than two
consecutive characters found in the user's account name or full name; and must contain
characters from three of these categories—uppercase letters, lowercase letters, numbers,
and special characters ($, @, !, #, and so on).
• Store passwords using reversible encryption: If enabled, passwords are stored with a
method that's essentially plaintext and not secure. This policy should be set only if a
critical application requires access to user passwords for authentication purposes. The
default is disabled.
•
Account Lockout Policy
—Contains the following policies that control user account lockout:
• Account lockout duration: Contains a value between 0 and 99999 that indicates how
many minutes a user's account is locked and, therefore, unable to be used for logon if
the “Account lockout threshold” setting is exceeded. The account is unlocked auto-
matically after this number of minutes passes. A value of 0 means the account remains
locked until an administrator unlocks it. The default is Not defined because this set-
ting has meaning only when the Account lockout threshold is defined and is not zero.
After the Account lockout threshold is defined with a nonzero value, the suggested
setting is 30.
• Account lockout threshold: Contains a value between 0 and 999 that determines how
many times a user's password can be entered incorrectly before the account is locked
out. The default is 0.
• Reset account lockout counter after: Contains a value between 1 and 99999 that
indicates the number of minutes that must elapse between failed logon attempts
before the failed logon attempt counter is reset to 0. The default is Not defined
because this setting has meaning only when the Account lockout threshold is defined
and is not zero. When Account lockout threshold is defined with a nonzero value,
the suggested setting is 30.
Search WWH ::
Custom Search