How to check password requirements in Active Directory

Active Directory (AD), through its Group Policy Object (GPO), offers default domain password policies and fine-grained password polices to enforce requirements for the passwords being created, and ensure that they're complex and strong enough to thwart a breach. A default domain password policy governs all the users in a single domain, while fine-grained password polices can be granularly created for multiple groups in a domain.

The Active Directory domain Group Policy password policy consists of the following eight settings:

• Password history: Set the number of new passwords that must be used before an old password can be reused.
• Maximum password age: Specify the maximum number of times that a password can be used before a change is mandated.
• Minimum password age: Set the minimum amount of times that a password has to be used for before it can be changed.
• Minimum password length: Mandate the minimum number of characters that the password must contain.
• Passwords must meet complexity requirements: The following rules must be complied with to satisfy this setting:
  • Should not contain the user’s account name or parts of the user’s full name exceeding two consecutive characters in common.
  • Be at least six characters in length.
  • Must contain numbers and symbols with either or both uppercase letters and lowercase letters.
• Store passwords using reversible encryption: Allow passwords stored via encryption to be decrypted.
• Minimum password length audit: Determine the minimum password length to generate a warning and not allow short passwords.
• Relax minimum password length limits: Control whether the highest limit of the minimum password length setting can be increased beyond the legacy limit of 14.

How do you check the Active Directory password requirements for a user?

Windows PowerShell offers the quickest way to view the password requirements applicable for a user through its cmdlets in the Active Directory module. Here are the two cmdlets that display the default domain password policy, and the fine-grained password policy applied to a domain:

• Get-ADDefaultDomainPasswordPolicy: Displays the default domain password policy governing the user account.
• Get-ADFineGrainedPasswordPolicy: Displays the fine-grained password policy governing the user account.

Limitations of the generic Active Directory password policies

The password policies offered by Active Directory are quite rudimentary. Creating passwords using PowerShell is a manual process, and prone to human error. Also, PowerShell-created passwords cannot withstand modern password breach techniques. Invoking PowerShell every time the user wants to view the password policy requirements can be quite a tedious process.

ManageEngine ADSelfService Plus, an identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, offers advanced Active Directory password requirements that provide advantages over standard Active Directory password policies:

• The password policy can be applied to specific organizational units as well as domain and groups.
• Dictionary words, patterns, and palindromes can be restricted.
• Unicode characters can be mandated.
• Repetition of the same character consecutively, and strings of characters from old passwords and usernames can be banned.
• A minimum number of characters can be enforced for particular character types.

These advanced password complexity requirements can be applied to:

• Password changes using the Ctrl+Alt+Del screen
• Password reset by IT admins using the Active Directory Users and Computers portal
• Self-service password resets and web-based password changes for Active Directory and enterprise application using the ADSelfService Plus portal

This solution also provides the option to display the password policy created during the above password change and reset instances. This way, users are made aware of the password requirements they must adhere to when creating the password.

Password complexity requirements are not the only solution to securing digital identities. Password theft through methods, like phishing, have become more common, and verifying digital identities cannot solely depend on credentials. Multi-factor authentication is an important solution that ensures user identities do not succumb to credential thefts and attacks. ADSelfService Plus offers multi-factor authentication using 19 different authentication methods, including biometric authentication, time-based one-time password, and hardware authentication. Multi-factor authentication can be applied during logins into endpoints such as machines, virtual private networks, Outlook Web Access, and cloud applications. It is also used to secure self-service password resets and web-based password changes using the product.

Features of ADSelfService Plus

• Self-service password reset and account unlock
• Multi-factor authentication
• Enterprise SSO
• Password synchronization
• Conditional access policies
• Password policy enforcer
• Password expiration notification
• Directory self-service
• Mail group subscription
• Employee search and organizational chart