Account policies control passwords and login properties.
- Password Policy settings control characteristics enforced for user passwords. Account Lockout Policy settings control what happens when a user enters one (or more) incorrect passwords.
- Settings in the local GPO are used if the computer is a member of a workgroup. Settings in the domain GPO are used for computers that are members of a domain.
- Policy settings are applied to the computer, not the user.
- Although you can configure Account Policies settings in any GPO, only the settings configured in a GPO linked to the domain take effect.
- To configure different account policies settings for different users, use one of the following strategies:
- Configure granular password policies, available in Windows Server 2008 domain functional level.
- Create different domains, moving objects with different password policy requirements into their respective domains.
The following table explains the Password Policy and Account Lockout Policy settings.
|Enforce password history||This setting keeps a history of user passwords (up to 24) so that users cannot reuse passwords.
When set to 0, users are not forced to enter new passwords.
You must configure a maximum password age for this setting to take effect.
|Maximum password age||Maximum password age forces the user to change the password after a given length of time.
Setting this value to 0 means that the password never expires.
|Minimum password age||Minimum password age forces the user to keep a new password for the specified period of time. This setting prevents users from changing passwords immediately after they’ve reset their passwords, thereby circumventing the password history by entering several passwords to get back to a preferred password.
The value must be less than the maximum age, and should be a setting greater than 0. A setting of 0 allows the user to reset the password immediately.
|Minimum password length||Minimum password length configures how many characters a valid password must have.|
|Password must meet complexity requirements||Enforcing password complexity requires that user passwords: cannot contain the user name, the user’s name, the company name, or a complete dictionary word. The password must also contain a minimum of three of the four types of special characters: lower case letters, upper case letters, numbers, or !, @, #, $, %, ^, &, *.|
|Store passwords using reversible encryption||Store passwords using reversible encryption determines how passwords are stored within Active Directory and on the local system. For best security, this policy should be disabled, meaning that passwords are not stored with reversible encryption. Enable this setting only if you have specific applications that require reversible encryption so that they can verify user passwords.|
|Account Lockout Policy|
|Account lockout duration||Account lockout duration identifies how long a locked account remains locked. When the time period expires, the account will be unlocked automatically.
When set to 0, the account will never be unlocked automatically, and an administrator must unlock the account.
|Account lockout threshold||Account lockout threshold configures how many incorrect passwords can be entered before the account is locked.|
|Reset account lockout after||The reset account lockout after setting specifies the amount of time (in minutes) that passes after a failed login attempt before the counter resets to zero.
For example, if this value is set to 5 and the account lockout threshold is set to 3, the user can enter 2 incorrect passwords within a 5 minute interval without the account being locked. After 5 minutes has passed, the user can make additional incorrect logon attempts.
Be aware of the following facts when managing account policies:
- If an account has been locked out because the user has forgotten the password, you will need to reset (change) the password. You should also force a password change at next logon.
- The user account setting of Password never expires overrides any other requirement for changing passwords configured in a GPO. Service accounts should have this option enabled and should use strong passwords, but no other type of account should have this setting enabled (including administrators).