Windows Active Directory

Active Directory Account Policy

What you will learn:

Active Directory has a strong authentication mechanism such as the Kerberos authentication mechanism, that prevents malicious intruders from gaining access to resources within the network. However, this mechanism is not sufficient to ensure the safety of information. For example, an attacker could compromise a user account with a weak password, or there might also be an insider who could misuse the network’s resources. Hence, Active DIrectory has numerous policies that can be configured. These policies tackle various management and security aspects of the network. In this article, we will take a look at one set of policies called Active Directory Account Policies. We will dive into what Account Policies policies are, and how they are classified.

What are Active Directory Account Policies?

Active Directory (AD) Account Policies are a set of policies that are associated with the authentication mechanism of user and computer accounts. Until Windows Server 2008, there could only be one Account Policy for a domain, and all users and computers within that domain should adhere to the Account Policy configured to the domain. One exception is if there is any Account Policy associated with an OU within the domain. In such cases, the user and computer objects within the OU will adhere to the AD Account Policies associated with their parent OU.

Active Directory Account Policies

Classification of AD Account Policies:

Account Policies are classified into two categories. They are as follows:

What are Password Policies?

Password Policies are a set of policies that determine how a password should be set for an AD user account. Depending on the configuration, the Password Policies can either set to be stringent or lenient, but it’s better to have stronger password policies to ensure that it is not easy for an attacker to guess the passwords.

There are six different password policies in AD. They are as follows:

Six different Password Policies in Active Directory
Six different Password Policies in Active Directory

You can learn more about AD password policies in this article.

What are Account Lockout Policies?

Account lockout policies are a set of policies that define the instructions for how the account should be handled in case of a failed logon attempt. This policy comes in handy in case of a brute-force or dictionary attack attempt. There are three Account Lockout Policy settings. They are as follows:

The Three Account Lockout Policies in Active Directory

You can learn more about AD Account Lockout Policies in this article.

Fine-grained password policies:

The Account Policies are linked to domains using Group Policy Objects (GPO). You can learn more about GPOs and how they function in this article. As mentioned earlier, there can only be one Account Policy setting linked to a domain. This was the case until the introduction of Windows Server 2008. To allow administrators to enforce different policies to different sets of users, Microsoft launched a new functionality called fine-grained password policies (FGPP) in Windows Server 2008. These policies can be set in what is called password setting objects (PSO). FGPP is a derivative of account policies, so that means it includes not only password policies, but also account lockout policies. You can learn more about FGPP in this article.


People also read

Active Directory Password Policy

Active Directory Policies

Active Directory Account Lockout Policy

Exit mobile version