Password Policy Recommendations
Fine Grained Password Policy Settings
| Policy Setting | Standard User | Privileged User | Service Account |
| Account Lockout Duration | 30 Minutes | 0 (Indefinite) | 0 (Indefinite) |
| Account Lockout Threshold | 10 Attempts | 5 Attempts | 5 Attempts |
| Enforce Password History | 24 Passwords | 24 Passwords | 24 Passwords |
| Maximum Password Age | 90 Days | 60 Days | 120 Days |
| Minimum Password Age | 1 Day | 1 Day | 1 Day |
| Minimum Password Length | 15 Characters | 20 Characters | 30 Characters |
| Password Must Meet Complexity Requirements | Enabled | Enabled | Enabled |
| Reset Lockout Counter After | 30 Minutes | 60 Minutes | 60 Minutes |
| Store Passwords Using Reversible Encryption | Disabled | Disabled | Disabled |
| Scope | Domain Users | Domain Admins | Service-Accounts |
| Precedence | 3 | 2 | 1 |
Settings Explained
Account Lockout Duration
The amount of time in minutes that the account will be locked in Active Directory after too many failed attempts.
Account Lockout Threshold
How many failed attempts will be allowed before triggering Account Lockout. Failed attempts will be reset to zero after the Reset Lockout Counter time has passed.
Enforce Password History
How many previous passwords will be remembered by Active Directory. Users cannot re-use any of the previous 24 passwords.
Maximum Password Age
How many days may pass before the password will expire.
Minimum Password Age
The minimum amount of days that must pass before a user will be allowed to change their password again. This setting is recommended to prevent users from attempting to re-use the same password by immediately changing their password 25 times to bypass the Password History limit. This may sound unlikely, but it has been encountered multiple times in the real world and some users may go to great lengths to not have to remember a new password.
Considerations/Limitations of Minimum Password Age
❌ You must uncheck "User must change password at next login"
❌ Users cannot immediatley change their password from 365 using Self-Service Password Reset that is synced back to on-premise after setting an initial password.
❌ User Accounts created on day 1 of hire will be unable to change their assigned password until 24 hours have passed since creation.
Minimum Password Length
This is the minimum amount of characters a password must contain to be accepted by Active Directory. These minimums are based on real world scenarios and other considerations such as preventing Lanman hashes from being stored. More information can be found here.
Password Must Meet Complexity Requirements
This is a built-in setting for Active Directory that dictates requirements for a password. A full explanation from Microsoft can be found here.
Reset Lockout Counter After
The amount of time that must pass with no failed authentications before the count is reset. This directly affects the Account Lockout Threshold setting. For example, if the privileged account jmantz-admin has four failed authentications within a 60 minute time period, a fifth failed authentication will permanently lock the account. 60 minutes must pass from the last failed authentication for the counter of failed authentications to be reset to zero.
Store Passwords Using Reversible Encryption
Stores the password using encryption methods that can be reversed and reveal the plaintext password. This option should never be enabled.