< All Topics
Print

Active Directory Account Policy

PostedSeptember 22, 2025
UpdatedSeptember 22, 2025
Byadmin

There are six different password policies in AD. They are as follows:

  • Enforce Password History  : This setting determines the number of new passwords that have to be set, before an old password can be reused. It ensures that old passwords are not used continuously by users which will render the Minimum Password Age policy setting useless.
  • Maximum Password Age  : This setting determines the maximum number of days a password can be used. Once the Maximum password age expires, users must change their password. It ensures that users don’t stick with one password forever.
  • Minimum Password Age  : This setting determines the minimum number of days a password must be in use before it can be changed. Only when the minimum password age expires, users are allowed to change their password. It ensures that users don’t change their password too often.
  • Minimum Password Length  : This setting determines the minimum number of characters a password should contain.
  • Passwords must meet complexity requirements: This setting determines whether the password must meet the complexity requirements specified. The various available complexity requirements are:
    • Not contain the user’s account name or part of the user’s full name that exceed two consecutive characters
    • The password is at least six characters long
    • The password contains characters from at least three of the following four categories:
      • English uppercase characters (A – Z)
      • English lowercase characters (a – z)
      • Base 10 digits (0 – 9)
    • Non-alphanumeric (For example: $, #, or %)
  • Store Passwords using reversible encryption: This security setting determines whether the password is stored using reversible encryption. If a password is stored using reversible encryption, then it becomes easier to decrypt the password.
Six different Password Policies in Active Directory
Six different Password Policies in Active Directory

You can learn more about AD password policies in this article.

What are Account Lockout Policies?

Account lockout policies are a set of policies that define the instructions for how the account should be handled in case of a failed logon attempt. This policy comes in handy in case of a brute-force or dictionary attack attempt. There are three Account Lockout Policy settings. They are as follows:

  • Account Lockout Duration: This policy setting determines the duration for which an account would remain locked out after a defined number of failed logon attempts, before the account gets unlocked again. 
  • Account Lockout Threshold: This policy setting determines the number of failed logon attempts after which the user gets locked out of the account. 
  • Reset Account Lock-out Counter After: This lockout policy setting determines the duration after which the failed logon attempt counter is reset to 0. 
The Three Account Lockout Policies in Active Directory
The Three Account Lockout Policies in Active Directory

You can learn more about AD Account Lockout Policies in this article.

Fine-grained password policies:

The Account Policies are linked to domains using Group Policy Objects (GPO). You can learn more about GPOs and how they function in this article. As mentioned earlier, there can only be one Account Policy setting linked to a domain. This was the case until the introduction of Windows Server 2008. To allow administrators to enforce different policies to different sets of users, Microsoft launched a new functionality called fine-grained password policies (FGPP) in Windows Server 2008. These policies can be set in what is called password setting objects (PSO). FGPP is a derivative of account policies, so that means it includes not only password policies, but also account lockout policies. You can learn more about FGPP in this article.