AD and enforced password policies

Jimmy Hess mysidia at
Mon Jan 2 22:32:54 UTC 2012

On Mon, Jan 2, 2012 at 2:27 PM, Jones, Barry <BEJones at>wrote:

> I have a requirement to enforce password policies on AD (a tacacs and
> windows domain). I don't have a great deal of Windows AD knowledge - so a
> newbie ;-) this is a little off topic, but I thought I'd ask...

This is very basic built-in functionality of AD,  that those maintaining an
AD implementation really ought to already be aware of;  to implement it,
you edit or create applicable group policy to apply a  Password policy in
the security section of the applicable group policy for the Computer
account configuration at the domain level, specify the minimum length and,
either check the "password must meet complexity requirements box", or
supply a custom filter  --

My recommendation would be to not go too far with password policies.
Implement only the least restrictive requirements in AD to achieve the
best  security benefits per unit of user annoyance;  e.g. a minimum length
of 8 is a good choice;  if you try and force users to pick a minimum of 15,
with complexity, and expire their password every 10 days, you'll actually
get users with simple passwords  (or password sticky notes on the monitor).

The sole root cause for "easily guessable passwords"  is  not  lack of
technical restrictions. It's also:  lazy or limited memory humans who need
passwords that they can remember.

Firstname1234!    is very easy to guess, and meets complexity and usual
length requirements.

There are password filters on the market that can perform a simple
dictionary check, which is a better check to perform than number of
character classes.     Use the custom password filter and a  30 minute
account lockout after the 3th failed login attempt,  to prevent most
password guessing attacks.          An event log monitoring tool should be
used to alert a sysadmin.

Specifically, I need to enforce the use of length, special characters, and
> be able to validate the enforcement of such.

You can ensure the enforcement by putting the password policy into effect;
make sure it is enforced on all domain controllers.   And then at a later
date check the "must change password at next login"  checkbox for all users
you need to enforce against, and utilize the GPResult command for each user
to ensure that the policy is applied.

The last password change date will verify the user has updated their
password at the time the policy was in effect

Another thing to consider is to have user passwords expiring once every 365
days,  with checks to prevent reuse of  previously used passwords;  then
typical scripts to monitor applied policy and last password change times
can be utilized to verify compliance.


More information about the NANOG mailing list