Chapter 7 – Password & Account Policies

 Windows Server Group Policy (GPO) Master Handbook

Chapter 7 – Password & Account Policies

Learning Objectives

Configure secure password, account lockout, Kerberos, and account policies using Group Policy. Understand enterprise security recommendations and troubleshooting.

1. GPO Path

Computer Configuration → Windows Settings → Security Settings → Account Policies

2. Password Policy

Configure minimum password length, password complexity, maximum password age, minimum password age, password history, and reversible encryption.

3. Recommended Enterprise Settings

Minimum Length: 14–16 characters
Password History: 24
Maximum Age: 60–90 days (or follow organization policy)
Minimum Age: 1 day
Complexity: Enabled
Reversible Encryption: Disabled

4. Account Lockout Policy

Configure Account Lockout Threshold, Lockout Duration, and Reset Account Lockout Counter to protect against brute-force attacks.

5. Kerberos Policy

Configure ticket lifetime, renewal period, clock synchronization tolerance, and ticket validation for domain authentication.

6. Fine-Grained Password Policies

Use Password Settings Objects (PSOs) in Active Directory to apply different password policies to different groups without creating separate domains.

7. Default Domain Policy

Password and Kerberos policies should normally be configured only in the Default Domain Policy or another GPO linked at the domain level.

8. Security Best Practices

Use MFA where possible, avoid password hints, require unique passwords, protect privileged accounts with separate admin credentials, and review password policies regularly.

9. Troubleshooting

Verify the policy is linked at the domain level, run gpupdate /force, use gpresult /h, check Event Viewer, verify replication between domain controllers, and use 'net accounts' to review effective settings on a computer.

10. PowerShell Commands

Get-ADDefaultDomainPasswordPolicy
Set-ADDefaultDomainPasswordPolicy
Get-ADFineGrainedPasswordPolicy
Get-ADUserResultantPasswordPolicy username

11. Command Line

gpupdate /force
gpresult /h report.html
net accounts
whoami /groups

12. Interview Questions

What is Password History? Why should Reversible Encryption remain disabled? What is a Fine-Grained Password Policy? Difference between Default Domain Policy and local password policy? How do you troubleshoot password policy application?

13. Practical Lab

Configure a 14-character minimum password length, enable complexity, set account lockout after five failed attempts, apply the policy, run gpupdate /force, and verify using net accounts.

Policy Reference

Setting

Recommended

Purpose

Enforce password history

24

Prevent password reuse

Maximum password age

60–90 days

Periodic password changes

Minimum password age

1 day

Prevent immediate reuse

Minimum password length

14–16

Increase password strength

Password complexity

Enabled

Require mixed character types

Store passwords using reversible encryption

Disabled

Improve security

Account lockout threshold

5 attempts

Protect against brute force

Lockout duration

15–30 min

Temporary lock after failures

Reset lockout counter

15 min

Reset failed attempt counter

Microsoft Learn

Password and Account Policies

Active Directory Domain Services

Group Policy Overview

Comments

Popular posts from this blog

IIS Installation and Application configuration windows swerver

IIS Self Signed

Here’s a step-by-step guide on configuring WDS on Windows Server