Active Directory Password Policies – when does a password policy change affect a user?

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

I’m back! Dougga here again with yet ANOTHER password policy post. You would think I was done with this topic – hopefully the last on this topic for a while. MarkMoro, you may know from this blogasphere, conveyed a question to me from one of our readers that is related to password policy application and how fast do users get the policy.  That was an awesome question that sparked some chatter between a couple of us PFE and also sent me to my lab and to  http://bing.com.

There are a ton (and I mean a ton) of articles, discussions, blogs, opinions etc. on the subject of password policies.  But not one of them says “This is it!” for this question.  Probably the most helpful article for me is from Technet  Enforcing Strong Password Usage Throughout Your Organization.

“There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on standalone computers.”

My revelation here is that it isn’t so much about the group policy or the fine grained password policy (FGPP) as much as it is about what the domain stores and the attributes of the user object – msDS-ResultantPSO (for FGPP).

The answer to: “When is the user impacted?” is best answered with:  “As soon as the user interacts with a setting.”  But it isn’t that simple because each setting will behave differently.

As soon as the user account gets access to the account policy (not the GPO) the settings are available.  The user is not reading the GPO for the password policy – the machine is. It is actually getting the settings from user attributes to find the FGPP then the domain password policy that was written to the domain (aka: Account Database) by the PDCe. Read my post “Fun and games with password policies.”

What is probably most confusing is when it actually impacts the user.  For example, if you change the minimum password length from 6 to 8 characters, the user will not notice that until the password is changed and may not notice if they already use 8 character or longer passwords.  

There are two timings here:

1) Immediate impact (kind of – the user may not notice unless it the password gets expired)

2) At next password change

From my testing these settings can be seen by the user without logon, logoff, reboot, or GPO refresh.  As soon as the policy is written and replicated (FGPP or Domain policy) changes to the following settings will be in effect and can impact immediately or very soon.

  • Minimum password age
  • Maximum password age
  • Lockout duration
  • Lockout threshold
  • Observation window

These settings are also in effect immediately, but users are not impacted until a password change occurs.

  • Minimum password length
  • Password must meet complexity requirements
  • Reversible encryption

Confused? I hope not. This is a good ending on password policies and should tie some loose ends up. Look forward to any questions or insights. You should also better understand the impact of modifying password policies.

Doug “I am done with passwords for a while” Gabbard