Skip to main content

GPO: How to Configure Password Policies

452 words 3 min
Domain Active Directory Windows Server ADDS

In this post, I will show you how to create a GPO to meet the minimum requirements for password policies.

The first step is to access Group Policy Management.

Group Policy Management

alt text

Right-click on Group Policy Objects and select New.

alt text

Give it a name related to what you want to do.

alt text

Select the created GPO, right-click, and select Edit.

alt text

Within the computer settings, expand the following options: Policies, Windows Settings, Security Settings, Account Policies, and select Password Policy.

On the right, you will see the options you can configure.

alt text

Enforce password history

Enabling this option means that the user will not be able to reuse a password until they have changed their password more than 24 times. This number is usually lower, between 4 and 6, but it all depends on the policies of each company.

alt text

Maximum password age

This option determines the time a password will be valid. If this policy isn’t defined, a password change will be required after a maximum of 42 days. In this case, I’ll select 90, meaning users will be required to change their password every 90 days.

alt text

When I select the option described above and choose 90 days, it automatically suggests that the value for Minimum password age be 30 days.

This option means that if a user changes their password today, they won’t be able to change it again for 30 days. This option is recommended if you don’t want users to change their password multiple times a day until they end up with the same password for life.

password123, you know what I mean.

alt text

As I mentioned above, this option is enabled by default; otherwise, you will need to modify it.

alt text

Minimum password length

This option sets the minimum number of characters allowed in the password.

alt text

Password must meet complexity requirements

This means that a password must meet the following requirements:

    1. It cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters.
    1. It must be at least six characters long.
    1. Contain characters from three of the following four categories: ** Uppercase English characters (A-Z) ** Lowercase English characters (a-z) ** 10-digit base (0-9) Non-alphabetic characters (e.g., !, $, #, %)

alt text

Once the requirements are defined, we can close the editor.

alt text

Select the OU where you want to apply your GPO. It can even be the root of your domain, but in my case, I will specifically select the Users OU.

Right-click and select Link an Existing GPO…

alt text

Select the GPO that was just created.

alt text

Now we’ll see that the GPO is linked to our OU.

alt text

That’s basically all the steps you need to follow to configure password policies within your domain.