This website uses cookies to ensure you get the best experience on our website. Learn more
How to set up the key components of a password policy in Active Directory
Once you’ve planned out a new password policy, it’s time to put it into practice by setting the right configurations within your Active Directory. If you’re still at the planning stage, we’d recommend checking out our strategy tips for planning a password policy. But if you’re looking for some pointers on where to set up policy components, you’re in the right place. We’ll show you where to set them in your default Active Directory tools and also where to configure them if you’re using Specops Password Policy.
These steps comes from our recent report: ‘How to deploy a password policy in Active Directory: End-to-end guide’. As well as configuration help, you’ll get planning tips, advice for a smooth deployment, and guidance on end user communication. Download the full report here.
Setting up password policy key components
We’ll walk you through how to configure the following password policy key components. This list isn’t exhaustive, but these are five settings we’d expect almost every password policy to cover:
- Password length
- Password complexity
- Password banning
- Password expiration
- Password history
Password length
Longer passwords are much harder to crack through brute force techniques. We’d recommend going well above the standard eight characters used by many organizations – lengths of 15 and above are best. Encouraging end users to create passphrases is the best way to get strong passwords that are still easy to remember.
Within Active Directory you can set your baseline length for all users using Group Policy here:
And if you wish to have different lengths applying to subsets of users (defined by security groups) you can use Fine Grain Password Policy (FGPP) – this is configured using Active Directory Administrative Center (ADAC):
Here’s where to set password length within Specops Password Policy:
Or here if you’re going to be using passphrases:
Password complexity
Adding complexity requirements greatly increases the possible character combinations. An MD5-hashed password of 15 characters made up of numbers, upper case letters, lower case letters, and symbols, would take 22.7 billion years to crack. However, an equally complex password of eight characters would take just three hours to crack – so it’s important to combine length and complexity.
There’s no control over “complexity” within the Microsoft Group Policy or Fine Grain Password Policy Settings. It can purely be set to “on” which means:
- 3 out of the 5 different character types (upper case, lower case, digits, special and Unicode)
- Must not contain your username (first, last, displayname or sAMAccountName)
Group Policy:
Fine Grain Password Policy:
Here’s where to set bespoke password complexity within Specops Password Policy:
Passphrases typically don’t use complexity, instead the length provides the strength. However, you can use regular expressions to create your organization’s own definition of a passphrase:
Password banning
You can choose to ban certain lists of known breached passwords. With some tools, it’s also possible to create custom dictionaries of words specific to your organization or industry. For example, company or product names that end users might be tempted to use.
Unfortunately, there’s no possibility for this password policy key component within the standard Microsoft AD toolset. Here’s where to ban specific sets of passwords within Specops Password Policy:
Password expiration
Previous guidance suggested organizations require passwords changes every 60, 90, or 120 days. However, this often leads to users changing ‘Password1’ to ‘Password2’. Consider the best password change cycle for your organization – there’s some more info on password expiry best practices here.
Don’t forget that Specops Password Policy also allow you to reward users who set longer passwords by granting longer expiry times. We call this length-based password aging. In the example below, you can see that although this policy still allows shorter passwords, longer passwords of 15-19 characters are rewarded with a 1-year expiry and if a user chooses a 20+ passphrase it will only expire if the password becomes breached.
Here’s how to set up password expiration and length-based aging within Specops Password Policy:
Microsoft has no concept of length-based aging, but you can configure different expiry times per policy e.g. the Group Policy Expiry will define your global settings, and then use Fine Grain Password Policy to apply a different expiry time to another group of users.
Group Policy:
Fine Grain Password Policy:

Password history
Password history determines the number of unique passwords a user must use before they can use an old password again. This is an important setting because of password reuse and its knock-on risks.
You can set password history within Group Policy:
And also with Fine Grain Password Policy:
Here’s how to set up password history within Specops Password Policy:
Make sure you can check for compromised passwords
Password policies can stop the creation of weak passwords, but strong passwords can be compromised too. Our research found that 83% of compromised passwords actually satisfied most regulatory standards. These passwords may have been compromised by phishing attacks, stolen by malware, or breached through password reuse (for example, an employee reuses their work Active Directory password on a dodgy personal site that becomes breached). Some tools check against lists of breached passwords during expiry or reset events, though this might not be enough.
A tool such as Specops Password Policy with Breached Password Protection offers a continuous scan feature that checks all your Active Directory passwords against our Breached Password Protection API for compromise once a day. This protects against the use of more than 4 billion unique known compromised passwords.
The database includes password data from known leaks, our own honeypot system that collects passwords being used in real password spray attacks, and stolen credentials obtained by malware. Interested to learn more? Try Specops Password Policy for free.
Found the recommendations in this blog helpful? Read the full report ‘How to deploy a password policy in Active Directory: End-to-end guide’ here.
(Last updated on November 6, 2024)
Related Articles
-
[New research] Are VPN passwords secure? Two million malware-stolen passwords say no.
Today, the Specops research team is publishing new data on VPN passwords that have been stolen by malware. In total, our threat intelligence research team found 2,151,523 VPN passwords that have been compromised by malware over the past year. These are all real stolen passwords chosen by end users to access VPNs, and they all…
Read More -
ASD password policy best practices
Australian businesses are juggling as many as 85 different passwords. To take greater control of their password security, they must look to the Australian Cyber Security Centre (ACSC) for guidance. The ACSC is the nation’s leading agency on cyber security. The ACSC is hosted by the Australian Signals Directorate (ASD), and produces the Australian Government Information Security Manual (ISM). The ISM provides practical guidance on how organisations can…
Read More -
4 Steps to Troubleshooting Group Policy
A customer called recently who was having some pretty basic troubles with Specops Deploy. What struck a chord with me was how important the simple, basic steps are in troubleshooting Group Policy. Sure, there is plenty of complex stuff to work through but if the process always begins with simple, known good steps, the chances…
Read More