Saturday, August 17, 2013

Configuring Password Policy Settings in an Active Directory

Implementing Password Policy Settings Step-by-Step
  • Credentials: You must be logged on as a member of the Domain Admins group.
  • Tools: Active Directory Users and Computers.
  • To implement password policy on computer systems that belong to an Active Directory domain
    1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
    2. Right-click the root container for the domain:
      Active Directory Users and Computers

      Note: Screen shots in this document reflect a test environment and the information might differ from the information displayed on your screen.
    3. Select Properties from the menu that appears:
      Active Directory Users and Computers
    4. In the properties dialog box for your domain, click the Group Policy tab, and then click New to create a new Group Policy object in the root container. Type "Domain Policy" for the name of the new policy and then click Close.
      Note: Microsoft recommends that you create a new Group Policy object rather than editing the built-in one called Default Domain Policy because doing so makes it much easier to recover from serious problems with security settings. If the new security settings create problems, you can temporarily disable the new Group Policy object until you isolate the settings that caused the problems.
    5. Right-click the root container for the domain, and then click Properties.
    6. In the properties dialog box, click the Group Policy tab, and then select Domain Policy.
    7. Click Up to move the new GPO to the top of the list, and then click Edit to open the Group Policy Object Editor for the GPO you just created.
    8. Under Computer Configuration, navigate to the Windows Settings\Security Settings\Account Policies\Password Policy folder.
      Group Policy Object Editor
    9. In the details pane, double-click Enforce password history, select the Define this policy setting check box, set the value of Keep password history to 24, and then click OK.
      Enforce password history Prperties
    10. In the details pane, double-click Maximum password age, select the Define this policy setting check box, set the value of Password will expire in to 42, clickOK, and then click OK to close the Suggested Value Changes window that appears.
      Maximum password age Prperties
    11. In the details pane, double-click Minimum Password Age, select the Define this policy setting check box, set the value of Password can be changed after to 2, and then click OK.
      Minimum password age Prperties
    12. In the details pane, double-click Minimum Password Length, select the Define this policy setting check box, set the value of Password must be at least to 8, and then click OK.
      Minimum Password Length Prperties
    13. In the details pane, double-click Password must meet complexity requirements, select the Define this policy setting in the template check box, selectEnabled, and then click OK.
      Password must meet complexity requirements Prperties
    14. Close the Group Policy Object Editor, click OK to close your domain's properties dialog box, and then exit Active Directory Users and Computers.

Verifying New Settings

Use the following procedure to verify that the appropriate password policy settings are applied and effective in the Domain Policy GPO. Verifying the settings and their operation ensures that the correct password policies will be applied to all users in the domain.
Requirements
  • Credentials: You must be logged on as a member of the Domain Admins group.
  • Tools: Active Directory Users and Computers.
  • To verify password policy settings for an Active Directory domain
    1. Open Active Directory Users and Computers, right-click your domain, and then click Properties.
    2. In your properties dialog box for your domain, click the Group Policy tab, select the Domain Policy GPO, and then click Edit to open the Group Policy Object Editor.
    3. Under Computer Configuration, go to the Windows Settings\Security Settings\Account Policies\Password Policy folder, and verify that your settings match the settings shown here:
      Group Policy Object Editor
    4. Close the Group Policy Object Editor, click OK to close the properties dialog box for your domain, and then exit Active Directory Users and Computers.
    5. Verify that users cannot specify passwords that are shorter than 8 characters, that they cannot create non-complex passwords, and that they cannot immediately change their new passwords.