Active Directory 2008: Group Policy Account Policy Facts….

Account policies control passwords and login properties.

  • Password  Policy settings control characteristics enforced for user passwords.      Account Lockout Policy settings control what happens when a user enters      one (or more) incorrect passwords.
  • Settings in the local GPO are used if the computer is a member of a workgroup.      Settings in the domain GPO are used for computers that are members of a      domain.
  • Policy settings are applied to the computer, not the user.
  • Although you can configure Account Policies settings in any GPO, only the settings      configured in a GPO linked to the domain take effect.
  • To configure different account policies settings for different users, use one      of the following strategies:
    • Configure granular password policies, available in       Windows Server 2008 domain functional level.
    • Create different domains, moving objects with       different password policy requirements into their respective domains.

The following table explains the Password Policy and Account Lockout Policy settings.

Setting Description
Password Policy
Enforce password history This setting keeps a history of   user passwords (up to 24) so that users cannot reuse passwords.
When set to 0, users are not forced to enter new passwords.
You must configure a maximum password age for this setting to take effect.
Maximum password age Maximum password age forces the   user to change the password after a given length of time.
Setting this value to 0 means that the password never expires.
Minimum password age Minimum password age forces the   user to keep a new password for the specified period of time. This setting   prevents users from changing passwords immediately after they’ve reset their   passwords, thereby circumventing the password history by entering several   passwords to get back to a preferred password.
The value must be less than the maximum age, and should be a setting greater   than 0. A setting of 0 allows the user to reset the password immediately.
Minimum password length Minimum password length configures   how many characters a valid password must have.
Password must meet complexity requirements Enforcing password complexity   requires that user passwords: cannot contain the user name, the user’s name,   the company name, or a complete dictionary word. The password must also   contain a minimum of three of the four types of special characters: lower   case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *.
Store passwords using reversible encryption Store passwords using reversible   encryption determines how passwords are stored within Active Directory and on   the local system. For best security, this policy should be disabled,   meaning that passwords are not stored with reversible encryption.   Enable this setting only if you have specific applications that require   reversible encryption so that they can verify user passwords.
Account Lockout Policy
Account lockout duration Account lockout duration   identifies how long a locked account remains locked. When the time period   expires, the account will be unlocked automatically.
When set to 0, the account will never be unlocked automatically, and an   administrator must unlock the account.
Account lockout threshold Account lockout threshold   configures how many incorrect passwords can be entered before the account is   locked.
Reset account lockout after The reset account lockout after   setting specifies the amount of time (in minutes) that passes after a failed   login attempt before the counter resets to zero.
For example, if this value is set to 5 and the account lockout threshold is   set to 3, the user can enter 2 incorrect passwords within a 5 minute interval   without the account being locked. After 5 minutes has passed, the user can   make additional incorrect logon attempts.

Be aware of the following facts when managing account policies:

  • If      an account has been locked out because the user has forgotten the      password, you will need to reset (change) the password. You should also      force a password change at next logon.
  • The      user account setting of Password never expires overrides any other      requirement for changing passwords configured in a GPO. Service accounts      should have this option enabled and should use strong passwords, but no      other type of account should have this setting enabled (including      administrators).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s