Introduction to Active Directory Password Policy
Enforcing a strong password policy is one of the most fundamental security controls in any Active Directory environment. Windows Server 2019 provides a Default Domain Password Policy applied through Group Policy, which governs all accounts in the domain unless overridden by Fine-Grained Password Policies. This tutorial walks through configuring every aspect of the default password policy using both the Group Policy Management Console and PowerShell.
Understanding the Default Domain Policy
Active Directory applies password settings from the Default Domain Policy GPO linked to the domain root. This GPO contains the Password Policy node under Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy. There are six settings that control password behavior for all domain accounts.
The six settings are: Enforce password history, Maximum password age, Minimum password age, Minimum password length, Password must meet complexity requirements, and Store passwords using reversible encryption. Understanding each setting before modifying them prevents account lockouts and security gaps.
Opening the Default Domain Policy
Open Group Policy Management Console by running gpmc.msc from an elevated command prompt or the Run dialog. In the left pane, expand your forest, then Domains, then your domain name. You will see the Default Domain Policy GPO listed. Right-click it and select Edit to open the Group Policy Management Editor.
gpmc.mscNavigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy. You will see all six password policy settings in the right pane with their current values.
Configuring Password History
The Enforce password history setting prevents users from reusing recent passwords. Double-click the setting and set the value to 24, which is the maximum and the CIS Benchmark recommendation for Windows Server 2019. This means users must cycle through 24 unique passwords before reusing an old one.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -PasswordHistoryCount 24Configuring Maximum and Minimum Password Age
Maximum password age determines how many days a password can be used before it expires. The default is 42 days, but many organizations extend this to 90 days to reduce helpdesk load while maintaining security. Set it by double-clicking the setting and entering the number of days. Setting it to 0 means passwords never expire.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -MaxPasswordAge (New-TimeSpan -Days 90)Minimum password age prevents users from immediately cycling through passwords to get back to a favorite one. Set this to at least 1 day. If set to 0, users can change passwords immediately and defeat the history requirement by rapidly changing passwords 24 times in succession.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -MinPasswordAge (New-TimeSpan -Days 1)Configuring Minimum Password Length
Minimum password length is the most impactful single setting for password security. Microsoft and NIST both recommend a minimum of 14 characters. Windows Server 2019 supports passwords up to 256 characters. Longer passwords that are easy to remember (passphrases) are more secure than short complex passwords. Set the minimum length to at least 14 characters for privileged accounts.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -MinPasswordLength 14Enabling Password Complexity Requirements
When the Password must meet complexity requirements setting is enabled, passwords must satisfy three of four character categories: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters (!@#$% etc.). Passwords also cannot contain the user’s account name or more than two consecutive characters from the user’s display name.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -ComplexityEnabled $trueReversible Encryption Setting
Store passwords using reversible encryption should always remain disabled unless required by specific legacy applications that use CHAP authentication. Enabling this setting stores passwords in a form that can be decrypted, which is functionally equivalent to storing plaintext passwords. Verify this setting is disabled.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -ReversibleEncryptionEnabled $falseConfiguring Account Lockout Policy
Account Lockout Policy lives in the same Account Policies node. Three settings control lockout behavior. Account lockout threshold sets how many failed attempts before lockout. Account lockout duration sets how many minutes the account stays locked. Reset account lockout counter after sets how many minutes before the failed attempt counter resets.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" `
-LockoutThreshold 5 `
-LockoutDuration (New-TimeSpan -Minutes 15) `
-LockoutObservationWindow (New-TimeSpan -Minutes 15)Viewing the Current Domain Password Policy
After configuring settings, verify them using PowerShell. The Get-ADDefaultDomainPasswordPolicy cmdlet returns all current policy settings in a readable format. Run this from any domain controller or a management workstation with the RSAT Active Directory tools installed.
Get-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" | Format-List *The output shows ComplexityEnabled, LockoutDuration, LockoutObservationWindow, LockoutThreshold, MaxPasswordAge, MinPasswordAge, MinPasswordLength, PasswordHistoryCount, and ReversibleEncryptionEnabled fields.
Forcing a Group Policy Update
After editing the Default Domain Policy, force Group Policy refresh on domain controllers to apply changes immediately rather than waiting for the default 5-minute replication interval. Run the following command on each domain controller, or use the Invoke-GPUpdate cmdlet to push updates remotely.
gpupdate /forceInvoke-GPUpdate -Computer "DC01" -ForceChecking Resultant Set of Policy
Use rsop.msc or gpresult to confirm which policy settings are actually applied on a given machine. This is essential for troubleshooting when expected password settings are not enforced. Run gpresult with the /H flag to generate an HTML report showing all applied GPOs and their settings.
gpresult /H C:GPOReport.html /Frsop.mscAuditing Password Policy Compliance
Use the following PowerShell command to identify user accounts with PasswordNeverExpires set, which bypasses the maximum password age policy. Service accounts often have this set intentionally, but it should be inventoried and documented. Accounts with this flag set should use very strong, unique passwords or be migrated to Managed Service Accounts.
Get-ADUser -Filter {PasswordNeverExpires -eq $true} -Properties PasswordNeverExpires, LastLogonDate |
Select-Object Name, SamAccountName, PasswordNeverExpires, LastLogonDate |
Sort-Object NameIdentifying Accounts with Password Not Required
Some legacy accounts may have the PASSWD_NOTREQD flag set, allowing them to have a blank password regardless of the domain password policy. Identify and remediate these accounts immediately as they represent a critical security vulnerability.
Get-ADUser -Filter {PasswordNotRequired -eq $true} -Properties PasswordNotRequired |
Select-Object Name, SamAccountName, Enabled |
Sort-Object NameConclusion
A properly configured Active Directory password policy forms the baseline of your domain security posture. The settings covered in this tutorial—password history, age limits, minimum length, complexity, and account lockout—should be reviewed regularly and aligned with your organization’s security policy. Combine the Default Domain Policy with Fine-Grained Password Policies to apply stricter controls to privileged accounts such as Domain Admins. Always test policy changes in a lab environment before deploying to production.
