Last Updated on May 13, 2026 by Satyendra
Cyberattacks are on the rise worldwide, emphasizing the need for strong password policies. An Active Directory password policy is a set of rules configured within Active Directory that defines the requirements for user passwords, including minimum length, complexity, age, and history, to protect organizational accounts from unauthorized access. A password policy ensures that user passwords are strong and regularly changed, making them extremely difficult for attackers to crack. Hackers often gain access to corporate networks using legitimate user or admin credentials, resulting in security breaches and compliance failures. Various techniques used by adversaries to compromise corporate passwords include:
- Brute force attacks: Hackers use programs to enter potential passwords until they find the correct one.
- Dictionary attacks: Adversaries try words from the dictionary as possible passwords.
- Password spraying attacks: Hackers attempt common passwords on multiple user accounts.
- Credential stuffing attacks: Automated tools are used to enter lists of credentials against company login portals.
- Spidering: Adversaries gather information about a target and create passwords based on that data.
What is the Active Directory Default Password Policy?
In order to protect against these attacks, organizations must have a robust password policy for their Active Directory. This policy establishes guidelines for creating passwords, including minimum length, complexity (such as the inclusion of special characters), and the duration before the password must be changed. By default, Active Directory comes with a preset domain password policy that sets the requirements for user accounts, including password length, age, and other factors.
Download Whitepaper
How to View and Edit Domain Password Policy
To configure the domain password policy, administrators can use the Default Domain Policy, a Group Policy object that affects all objects within the domain. To access and edit this policy, the Group Policy Management Console (GPMC), a Microsoft tool for managing Group Policy Objects across a domain, must be opened.
To access the password policy settings:
- Open the Group Policy Management Console (GPMC)
- Expand the Domains folder
- Select the domain for which you want to access the policy
- Choose Group Policy Objects
- Right-click on the Default Domain Policy folder and click Edit
- Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy
Alternatively, the domain password policy can be accessed through PowerShell by running the following command:
Get-ADDefaultDomainPasswordPolicy
Note: It’s important to note that any changes made to the default password policy will apply to all accounts within the domain. Administrators also have the option to create and manage more specific password policies using the Active Directory Administrative Center (ADAC—a GUI-based management tool for Active Directory introduced in Windows Server 2008 R2) in Windows Server.
Default Active Directory Password Policy Settings
The following table outlines the six default password policy settings, their default values, and recommended actions:
| Setting Name | Default Value | Recommended Action |
|---|---|---|
| Enforce password history | 24 passwords | Keep the default value to minimize the risk of compromised passwords |
| Maximum password age | 42 days | Consider extending or disabling based on NIST guidelines; avoid setting to 0 (never expires) |
| Minimum password age | 1 day | Set to 3 days to prevent users from quickly cycling through previous passwords |
| Minimum password length | 7 characters | Increase to at least 8-15+ characters (default is 7; best practice recommends 8-15+) |
| Complexity requirements | Enabled | Consider prioritizing length over complexity per current best practices |
| Store passwords using reversible encryption | Disabled | Keep disabled unless required for IAS or CHAP |
What is Fine-Grained Password Policy (FGPP)?
Older versions of AD allowed the creation of just one password policy for each domain. The introduction of Fine-Grained Password Policies (FGPP—a feature that allows multiple password policies within a single domain, introduced in Windows Server 2008) has made it possible for admins to create multiple password policies to better meet business needs. For example, you might want to require admin accounts to use more complex passwords than regular user accounts. It’s important that you define your organizational structure thoughtfully so it maps to your desired password policies. While you define the default domain password policy within a GPO, FGPPs are set in Password Settings Objects (PSOs—Active Directory objects that contain password policy settings for FGPP). To set them up, open the ADAC, click on your domain, navigate to the System folder and then click on the Password Settings Container.
NIST SP 800-63 Password Guidelines
The National Institute of Standards and Technology (NIST) is a government agency responsible for establishing rules and guidelines for managing digital identities. Special Publication 800-63B outlines the standards for passwords. The current standard is Revision 3 of SP 800-63B, issued in 2017 and updated in 2019 (organizations should verify they are referencing the most current version for compliance purposes).
These guidelines serve as a basis for organizations to create a strong password security infrastructure. NIST recommendations include:
- User-generated passwords should be at least 8 characters (6 for machine-generated passwords).
- Passwords up to 64 characters should be allowed.
- The use of any ASCII/Unicode characters should be permitted.
- Sequential or repeated characters in passwords should be prohibited.
- Frequent password changes should be discouraged in favor of alternative security measures.
The latest NIST 800-63B standards emphasize the careful use of password expiration policies as research shows that alternatives like banned password lists, longer passphrases, and multi-factor authentication (MFA) provide better security.
Active Directory Password Policy Best Practices
Below is a summary of AD password policy best practices:
- Implement a minimum password length of 8 characters.
- Enforce a password history policy that checks the last 10 passwords used by a user.
- Set a minimum password age of 3 days to prevent users from quickly cycling through previous passwords.
- Use banned password lists, breached password lists, and password dictionaries to check the strength of proposed new passwords.
- Reset local admin passwords every 180 days using an automated password reset tool.
- Change device account passwords at least once per year.
- Ensure domain admin account passwords are at least 15 characters long.
- Implement email notifications to alert users when their passwords are about to expire using an automated password expiration reminder tool.
- Create granular password policies for specific organizational units instead of modifying the Default Domain Policy.
- Utilize password management tools to securely store passwords.
- Enable users to change passwords via a web browser and provide guidance on selecting strong passwords.
- Implement account lockout policies to prevent brute force attacks.
- Emphasize the importance of not writing down passwords.
- Encourage users to enter passwords discreetly, without anyone watching.
- Educate users on the significance of distinguishing between “HTTPS://” and “HTTP://” in URLs for enhanced security.
- Discourage the use of the same password for multiple websites accessing sensitive information.
Related Articles:
How Lepide Helps Secure Active Directory Passwords
The Lepide Data Security Platform will give you complete visibility into passwords that never expire. With customizable, automated emails, Lepide notifies users about their password expiry date, reminding them to reset their passwords. Follow-up notifications are also available for users who fail to take immediate action.
By identifying and addressing passwords that never expire, Lepide helps reduce the potential threat surface area. Detailed reports can be generated in seconds, providing an overview of expired passwords, upcoming password expirations, logon failures, account lockouts, and more. These reports can be conveniently delivered via email and exported in common formats.
The Lepide Data Security Platform includes a module called Account Lockout Investigator, which helps IT administrators identify the cause of account lockouts in real time. This tool simplifies and speeds up the investigation process, allowing administrators to unlock user accounts directly from the tool. Additionally, it helps fulfill service level agreements by identifying lockouts related to service accounts.
If you’d like to see how the Lepide Data Security Platform can help you manage your Active Directory password policy, schedule a demo with one of our engineers.
