{"id":281,"date":"2016-04-18T11:42:08","date_gmt":"2016-04-18T11:42:08","guid":{"rendered":"http:\/\/blog.anakage.co.in\/?p=281"},"modified":"2022-01-17T09:48:26","modified_gmt":"2022-01-17T09:48:26","slug":"password-is-expiring-behind-the-scenes","status":"publish","type":"post","link":"https:\/\/www.anakage.com\/blog\/password-is-expiring-behind-the-scenes\/","title":{"rendered":"password is expiring – behind the scenes"},"content":{"rendered":"

\"password\"<\/p>\n

Inside a fairly sized organisation all computers are connected to a domain using Active Directory which manages how computers\u00a0and users\u00a0should be organised, secured, connected. To maximize security the server admin does many tasks – Specifying how you should handle your password is one of them.<\/p>\n

Default Password Policies in Active Directory<\/strong><\/p>\n

There are many settings available ranging from how you can specify your password to how many days password should expire. In active directory password policies are shown\u00a0at\u00a0Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies.<\/strong>\u00a0The default Password Policy Settings are –<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Policy Setting<\/strong><\/td>\nDefault Setting Value<\/strong><\/td>\n<\/tr>\n
Enforce password history (number of unique new passwords that have to be associated with a user account before an old password can be reused)<\/td>\n24<\/td>\n<\/tr>\n
Maximum password age<\/td>\n42 days<\/td>\n<\/tr>\n
Minimum password age<\/td>\n1 day<\/td>\n<\/tr>\n
Minimum password length<\/td>\n7<\/td>\n<\/tr>\n
Password must meet complexity requirements<\/td>\nEnabled<\/td>\n<\/tr>\n
Store passwords using reversible encryption<\/td>\nDisabled<\/td>\n<\/tr>\n
Account lockout duration<\/td>\nNot de\ufb01ned<\/td>\n<\/tr>\n
Account lockout threshold<\/td>\n0<\/td>\n<\/tr>\n
Reset account lockout counter after<\/td>\nNot de\ufb01ned<\/td>\n<\/tr>\n
Enforce user logon restrictions<\/td>\nEnabled<\/td>\n<\/tr>\n
Maximum lifetime for service ticket<\/td>\n600 minutes<\/td>\n<\/tr>\n
Maximum lifetime for user ticket<\/td>\n10 days<\/td>\n<\/tr>\n
Maximum lifetime for user ticket renewal<\/td>\n7 hours<\/td>\n<\/tr>\n
Maximum tolerance for computer clock synchronization<\/td>\n5 minutes<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

What are Password Policies and How it Works<\/strong><\/p>\n

Users in a company are grouped into OU(Organisational Units) which are part of Domain. Password policies can be applied at Domain level and not OU. One of the misconception is that different OU can have different password policies which is not the case. All computers in domain will have same password policy. Server admins do it by below steps –<\/p>\n

    \n
  1. Create a new GPO<\/strong><\/li>\n
  2. Link it to the Domain<\/strong> Level<\/strong><\/li>\n
  3. Give it Higher<\/strong> Precedence<\/strong> than the Default<\/strong> Domain<\/strong> Policy<\/strong> in the Group Policy Management tool.<\/li>\n
  4. The settings in this new GPO will override the settings in the <\/span>Default Domain Policy<\/strong> due to the higher precedence.<\/span><\/li>\n<\/ol>\n

    Though recently multiple password policies can be applied\u00a0by using third-party product or using Fine-Grained Password Policies (FGPP) which does not use GPO mechanism to deployment of policies.<\/p>\n

    Known Facts about previous version of windows servers<\/strong><\/p>\n

      \n
    1. There was only one password policy applied for domain users in Active Directory domain.<\/li>\n
    2. For every user in the Active Directory which are located in the Security Account Manager aka SAM on a server, Default Domain policy always defines Password Policies by default.<\/li>\n
    3. Multiple Password policy was not possible to be configured for different users in the domain in an Organizational Unit aka OU.<\/li>\n<\/ol>\n

      Few tips for Server Admins for enforcing password policies to make it more secure<\/strong><\/p>\n