MicrosoftActive Directory (AD) password policies sit at the very foundation of an enterprise’s cybersecurity strategy—each connected device represents an entry point into your network, and protecting those endpoints with reasonably strong passwords is the first reliable line of defense against cyberattacks. AD allows you to enforce set standards for passwords used by employees, requiring them to use a certain number and/or variety of characters in every password they create.
But getting control over password policies isn’t always the easiest or most intuitive thing for a security professional to do. It may be simple enough to set default protections like “Password must meet complexity requirements,” but going beyond the default options is harder. Common questions include: What are AD password policy best practices? How do you develop specific permissions and protections for different users or groups of users? How do you get visibility into everyone’s access rights? What is password complexity, and what levels of password complexity are right for which user groups?
No matter how experienced you are in enterprise security, it can be helpful to re-examine the basics to look for steps you can take to better tailor your AD password policy to the needs of your enterprise. Let’s clear up some common misconceptions, go over some AD password policy best practices, and start ensuring that all your users are protected.
How do I disable password policy?
Disabling your current password policy rules is straightforward through the Group Policy Objects option in Windows. If your current policy is proving too difficult for users or resulting in a lot of additional help desk calls, you can either edit your policy or disable it entirely with a few simple steps.
In Windows, go to either the Group Policy Management or Active Directory Users console and you’ll see all Group Policy Objects (GPOs) currently linked at the domain level. Find the GPO you use to create and enforce your domain password policy (if you haven’t done this before, it’s likely Default Domain Policy GPO) and right-click it, then click Edit.
Now open Computer Configuration and click Policies, or go directly to Windows Settings. From there, select Security Settings, Account Policies, then Password Policy items. Here you’ll see a GPO Editor with two panes. Find “Enforce password history” in the pane on the right, Type 0 in the text box, then click OK. Do the exact same thing for other policies like “Maximum password age,” “Minimum password age,” and “Minimum password length” policies. Double-click on “Password must meet complexity requirements” in that same right pane, select Disabled, then click OK.
What are password complexity requirements?
Certain kinds of passwords are particularly easy for a dedicated hacker to obtain because they lack complexity. Complexity is measured according to how difficult it would be for a hacker to guess a user’s password using obvious information like their name, or to break into their account using a brute force attack. A good example of a password complexity requirement is one that ensures all passwords are at least eight characters long.
Complexity requirements must strike a careful balance—they should be stringent enough to ward off all but the most dedicated of cybercriminals, but not so strict that they frustrate users and flood the help desk with calls. It’s best practice to use some form of password complexity requirement. If the default settings on AD are either too strict or not strict enough for your needs, be sure to replace the policy rather than simply disabling it.
What is password complexity in Group Policy Objects?
Group Policy Objects represent specific groups of users for whom you can set specific password requirements, in much the same way that you grant different groups of users different levels of access to company assets. Creating more onerous Active Directory password complexity requirements for those users with access to more sensitive information, while asking less of the majority of your users, is a great way to minimize the impact on help centers while protecting your most valuable data.
GPOs allow you to perform a number of functions from a security standpoint, including disabling Local Administrator rights, granting administrative permissions to sole individuals or groups, and disabling outdated protocols like SSLv2. It also makes management far easier from a security perspective.
What is the default password policy for AD?
For all versions of Windows software since Windows 2000, default Active Directory password complexity requirements are simple: the user can’t use their own name and has to include different types of characters.
First, a user’s password can’t have their Account Name in it, nor their Full Name. Just like “Password1234,” a password that repeats or slightly modifies your account name is incredibly easy for hackers to guess. This check is overridden if the user’s Account Name or Full Name is less than three characters long. If you have an initial in your Full Name, for example, you won’t be prohibited from using that letter in your password.
Second, passwords have to contain characters from a variety of different categories. These categories include: uppercase letter; lowercase letters; single digits 0-9; special characters like !,&,%,$, or #; and Unicode characters. Under Windows 10’s default password complexity requirements, every password must contain characters from at least three of these categories. This rule, along with the requirement that passwords be at least eight characters long, makes it far harder to break into an account using a brute force attack. Hackers would have to run through at least 218,340,105,584,896 different possibilities in order to gain a single password.