Configuring Domain Password and Account Lockout Policies with Group Policy
Server Academy Members Only
Sorry, this lesson is only available to Server Academy Full Access members. Upgrade your plan to get instant access to this and many more premium courses. Click the Upgrade Plan button below to get started.
In this lecture, we are going to be setting up our Domain Password policies.
This is something you’re going to have to do if you work for a company that is very security conscious. It will prevent your users from using simple or unsecured passwords within your domain. Some people are just not security conscious at all and will use simple passwords, won't reset their passwords, etc. and it is understandable since it is difficult for them sometimes to be doing that. We are going to set this so that it is not an option for the users.
Open Server Manager > Tools > Group Policy Management.
Note that on the Default Domain Policy clicking on the Settings tab we have password policies already configured by default in our domain.
So, if you create a new GPO it is important for you to know that there is the Default Domain Policy that is also configuring these settings.
We are going to edit this policy. Right-click the Default Domain Policy and choose Edit.
Maximize the window and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy.
Double click on Enforce password history. This setting will remember our users' previous 24 passwords and will not allow them to reuse these passwords if they are creating a new password. We will leave it at the default since it is very much secure at that value. Click on OK.
Double click Maximum password age. This is going to depend on your company. I see a lot of people requiring 30 days, some 60 days. We are going to set it to 60 days and click on OK.
Now, double click on Minimum password age. We are going to set this to 0 since we like our users to be able to reset their passwords immediately if they want to. For example, if they type their password wrong, and they want to create a new one, you don’t want them to NOT be able to create a new one.
Double click on Minimum password length. We are changing it to 14 characters. Some users will complain about the length but 14 characters are more secure than 7. Click on OK.
Double click on Password must meet complexity requirements. This must be set to Enabled and click on OK.
And, Store passwords using reversible encryption. This should always be set to Disabled. Is almost the same if you store your passwords in cleartext.
Now let's click on Account Lockout Policy on the left pane.
If a user comes to their domain computer and they type a bad password three times, it could be someone trying to guess the user’s password, it might not be the actual authorized user. So what we want to do is lock the user account after a certain number of invalid login attempts.
Account lockout duration is how long the user will be locked out. Define this setting for 15 minutes. Click on the Apply button and a pop-up will appear.
The Suggested Value Changes window suggests that we specify the Account lockout threshold and the Reset account lockout counter after settings. These are the other two settings in the Account Lockout Policy. Basically, it is saying that we cannot configure Account lockout duration without specifying the other two settings.
Click on OK to accept these values, and OK to close the window.
Double click on the Account lockout threshold and set it to 3. So if a user types a password wrong 3 times then the account will be locked out.
Now, open the last setting Reset account lockout counter after. We will leave it at 15 minutes.
Server Academy Members Only
Want to access this lesson? Just sign up for a free Server Academy account and you'll be on your way. Already have an account? Click the Sign Up Free button to get started..