Flexible Security For Your Peace of Mind

Inconsistencies in Password Settings

(Last updated on February 5, 2021)

I have had a couple of customers baffled when their default domain policy has one set of password settings but there is a different set of password settings listed for the Default Domain Policy when they look Specops Password Policy Domain Administration tool.

In situations where I’ve seen this the customer had renamed the Default Domain Policy to another name, i.e. Company X’s Default Domain Policy or they un-linked the Default Domain Policy, created their own and linked it at the top of the domain.

In trying to sort this out, we were able to pinpoint the problem by the GUIDs. The ones created during the initial dcpromo of a domain are:

Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Default Domain Controllers Policy {6AC1786C-016F-11D2-945F-00C04fB984F9}

Keep these handy if you are ever trying to track that down.

That was part one of the mystery. The second part was tracking down where Specops Password Policy is reading the Default Domain Policy settings. Once we tracked down the old Default Domain Policy by the GUID, it still didn’t match what was showing in the Specops Password Policy Domain Administration tool.

It turns out that the actual values for the default domain password policy are stored in the domain object not in the group policy object. To find and edit these values go into Active Directory Users and Computers and turn on Advanced View. Right click on the domain and select Properties:

AD password policy properties

The attributes you want are:

maxPwdAge – Maximum Password Age
minPwdAge – Minimum Password Age
minPwdLength – Minimum Password Length
lockOutObservationWindow – Maximum time internal between two unsuccessful login attempts before the number of unsuccessful login attempts is reset to 0.
lockoutDuration – Length of time that an account is locked after the number of failed login attempts exceeds the lockout threshold
lockoutThreshold – Number of unsuccessful login attempts that are permitted before an account is locked out.
pwd-Properties – (should be empty unless complexity is turned on then it should be 1)

Correcting these attributes solved the problem and the Specops Password Policy was looking at the right Default Domain Policy Settings. As always, use caution when making changes to your Active Directory.

Tags: , ,

Back to Blog