asked on Server 2008 R2 Password Policies
Hello,
We currently have a very lax password policy on our network. Our network consists of one AD domain. We would like to force a more stringent password policy. I looked on the domain controller and in the Group Policy Management Console, Domain, Default Domain Policy, (right-click and Edit). Under the Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, all policy settings are Not Defined.
I then look in the Local Security Policy, Security Settings, Account Policies, Password Policy and it shows what we current seem to be using, (Max password age - 365 days, Min password length – 5 characters). I would like to enforce a 90 day max age, 7 characters which must include at least one upper case and one number and perhaps a symbol. Where do I do this? I thought it was in the Group Policy Management Console but the Local Security Policy has me confused.
Note: This was set up before me starting here.
Thank you
We currently have a very lax password policy on our network. Our network consists of one AD domain. We would like to force a more stringent password policy. I looked on the domain controller and in the Group Policy Management Console, Domain, Default Domain Policy, (right-click and Edit). Under the Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, all policy settings are Not Defined.
I then look in the Local Security Policy, Security Settings, Account Policies, Password Policy and it shows what we current seem to be using, (Max password age - 365 days, Min password length – 5 characters). I would like to enforce a 90 day max age, 7 characters which must include at least one upper case and one number and perhaps a symbol. Where do I do this? I thought it was in the Group Policy Management Console but the Local Security Policy has me confused.
Note: This was set up before me starting here.
Thank you
Windows Server 2008Active Directory
Last Comment
daskas27
ASKER
Thank you. "Secpol.msc editor only applies to the <u>local PC</u>, not the domain. " Then where is the domain getting it's current requirements? Like I said, all items in the Group Policy Management Console are Not Defined. I also know the users are required to change their passwords once a year.
Do look at this discussion on the complexity as you can leverage on the fine grain password policy (FGPP). However, there is limit to how much the gpo can enforce e.g. Complexity will not be enforce during password reset and the level of complexity do not take into account of dictionary word attacks. For really more stringent and flexibility to make it stronger, there is a suggested 3rd party filter to help tighten the exist gpo limits.
https://www.experts-exchange.com/questions/28929530/AD-password-complexirty-group-policy.html
https://www.experts-exchange.com/questions/28929530/AD-password-complexirty-group-policy.html
There are two places:
a) The default domain policy (at the root level on the domain in GPMC)
b) Fine grain password policies which can be applied to lower level OUs and apply to individuals or Global Security groups (see https://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx)
a) The default domain policy (at the root level on the domain in GPMC)
b) Fine grain password policies which can be applied to lower level OUs and apply to individuals or Global Security groups (see https://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx)
ASKER
Fine grain is not enabled and nothing is defined in the GPMC. I am confused.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thank you
Edit the Default Domain Policy
Then expand Computer Configuration, Windows Settings, Security Settings, Account Policy.
Edit the Password policy and configure:
a) Max password age = 90
b) Min password length = 7
c) Password must meet complexity requirements = Enabled.
Secpol.msc editor only applies to the <u>local PC</u>, not the domain.