0/1 Lessons

Course Introduction

• 2min

0 / 1 lessons complete

Introduction to Group Policy Management

• 1hr 24min

0 / 6 lessons complete

Manage Your Workstations

• 1hr 46min

0 / 7 lessons complete

Securing Your Domain

• 1hr 1min

0 / 5 lessons complete

Group Policy Troubleshooting

• 53min

0 / 5 lessons complete

Course Conclusion

• 1min

0 / 1 lessons complete

Configuring Domain Password and Account Lockout Policies with Group Policy


Q&A (0)

Notes (0)

Resources (0)

Saving Progress...


There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

In this lecture, we are going to be setting up our Domain Password policies.

This is something you’re going to have to do if you work for a company that is very security conscious. It will prevent your users from using simple or unsecured passwords within your domain. Some people are just not security conscious at all and will use simple passwords, won't reset their passwords, etc. and it is understandable since it is difficult for them sometimes to be doing that. We are going to set this so that it is not an option for the users.

Open Server Manager > Tools > Group Policy Management.

Note that on the Default Domain Policy clicking on the Settings tab we have password policies already configured by default in our domain.

So, if you create a new GPO it is important for you to know that there is the Default Domain Policy that is also configuring these settings.

We are going to edit this policy. Right-click the Default Domain Policy and choose Edit.

Maximize the window and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.

Double click on Enforce password history. This setting will remember our users' previous 24 passwords and will not allow them to reuse these passwords if they are creating a new password. We will leave it at the default since it is very much secure at that value. Click on OK.

Double click Maximum password age. This is going to depend on your company. I see a lot of people requiring 30 days, some 60 days. We are going to set it to 60 days and click on OK.

Now, double click on Minimum password age. We are going to set this to 0 since we like our users to be able to reset their passwords immediately if they want to. For example, if they type their password wrong, and they want to create a new one, you don’t want them to NOT be able to create a new one.

Double click on Minimum password length. We are changing it to 14 characters. Some users will complain about the length but 14 characters are more secure than 7. Click on OK.

Double click on Password must meet complexity requirements. This must be set to Enabled and click on OK.

And, Store passwords using reversible encryption. This should always be set to Disabled. Is almost the same if you store your passwords in cleartext.

Now let's click on Account Lockout Policy on the left pane.

If a user comes to their domain computer and they type a bad password three times, it could be someone trying to guess the user’s password, it might not be the actual authorized user. So what we want to do is lock the user account after a certain number of invalid login attempts.

Account lockout duration is how long the user will be locked out. Define this setting for 15 minutes. Click on the Apply button and a pop-up will appear.

The Suggested Value Changes window suggests that we specify the Account lockout threshold and the Reset account lockout counter after settings. These are the other two settings in the Account Lockout Policy. Basically, it is saying that we cannot configure Account lockout duration without specifying the other two settings.

Click on OK to accept these values, and OK to close the window.

Double click on the Account lockout threshold and set it to 3. So if a user types a password wrong 3 times then the account will be locked out.

Now, open the last setting Reset account lockout counter after. We will leave it at 15 minutes.

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Notify of
profile avatar
Newest Most Voted
Inline Feedbacks
View all comments

profile avatar
7 months ago

Do you have to use the Default Domain Policy to make the necessary password policy changes or you can make your own and delete default one?

profile avatar
Ricardo P(@ricardop)
Reply to  jerry.ebanks
7 months ago

Hi profile avatar Jerry Ebanks

You can create a new GPO for the password policy. You don’t need to necessarily use the default domain policy. It is not suggested to delete the default one if you have another GPO in place.