Chapter 7 – Password & Account Policies
Windows Server Group Policy (GPO) Master Handbook
Chapter 7 – Password & Account Policies
Learning Objectives
Configure secure password, account lockout, Kerberos, and account policies using Group Policy. Understand enterprise security recommendations and troubleshooting.
1. GPO Path
Computer Configuration → Windows Settings → Security Settings → Account Policies
2. Password Policy
Configure minimum password length, password complexity, maximum password age, minimum password age, password history, and reversible encryption.
3. Recommended Enterprise Settings
Minimum Length: 14–16 characters
Password History: 24
Maximum Age: 60–90 days (or follow organization policy)
Minimum Age: 1 day
Complexity: Enabled
Reversible Encryption: Disabled
4. Account Lockout Policy
Configure Account Lockout Threshold, Lockout Duration, and Reset Account Lockout Counter to protect against brute-force attacks.
5. Kerberos Policy
Configure ticket lifetime, renewal period, clock synchronization tolerance, and ticket validation for domain authentication.
6. Fine-Grained Password Policies
Use Password Settings Objects (PSOs) in Active Directory to apply different password policies to different groups without creating separate domains.
7. Default Domain Policy
Password and Kerberos policies should normally be configured only in the Default Domain Policy or another GPO linked at the domain level.
8. Security Best Practices
Use MFA where possible, avoid password hints, require unique passwords, protect privileged accounts with separate admin credentials, and review password policies regularly.
9. Troubleshooting
Verify the policy is linked at the domain level, run gpupdate /force, use gpresult /h, check Event Viewer, verify replication between domain controllers, and use 'net accounts' to review effective settings on a computer.
10. PowerShell Commands
Get-ADDefaultDomainPasswordPolicy
Set-ADDefaultDomainPasswordPolicy
Get-ADFineGrainedPasswordPolicy
Get-ADUserResultantPasswordPolicy username
11. Command Line
gpupdate /force
gpresult /h report.html
net accounts
whoami /groups
12. Interview Questions
What is Password History? Why should Reversible Encryption remain disabled? What is a Fine-Grained Password Policy? Difference between Default Domain Policy and local password policy? How do you troubleshoot password policy application?
13. Practical Lab
Configure a 14-character minimum password length, enable complexity, set account lockout after five failed attempts, apply the policy, run gpupdate /force, and verify using net accounts.
Policy Reference
Setting | Recommended | Purpose |
Enforce password history | 24 | Prevent password reuse |
Maximum password age | 60–90 days | Periodic password changes |
Minimum password age | 1 day | Prevent immediate reuse |
Minimum password length | 14–16 | Increase password strength |
Password complexity | Enabled | Require mixed character types |
Store passwords using reversible encryption | Disabled | Improve security |
Account lockout threshold | 5 attempts | Protect against brute force |
Lockout duration | 15–30 min | Temporary lock after failures |
Reset lockout counter | 15 min | Reset failed attempt counter |
Microsoft Learn
Comments
Post a Comment