Active Directory Password Policies – when does a password policy change affect a user?

I’m back! Dougga here again with yet ANOTHER password policy post. You would think I was done with this topic – hopefully the last on this topic for a while. MarkMoro, you may know from this blogasphere, conveyed a question to me from one of our readers that is related to password policy application and how fast do users get the policy.  That was an awesome question that sparked some chatter between a couple of us PFE and also sent me to my lab and to

There are a ton (and I mean a ton) of articles, discussions, blogs, opinions etc. on the subject of password policies.  But not one of them says “This is it!” for this question.  Probably the most helpful article for me is from Technet  Enforcing Strong Password Usage Throughout Your Organization.

“There can be only a single password policy for each account database. An Active Directory domain is considered a single account database, as is the local account database on standalone computers.”

My revelation here is that it isn’t so much about the group policy or the fine grained password policy (FGPP) as much as it is about what the domain stores and the attributes of the user object – msDS-ResultantPSO (for FGPP).

The answer to: “When is the user impacted?” is best answered with:  “As soon as the user interacts with a setting.”  But it isn’t that simple because each setting will behave differently.

As soon as the user account gets access to the account policy (not the GPO) the settings are available.  The user is not reading the GPO for the password policy – the machine is. It is actually getting the settings from user attributes to find the FGPP then the domain password policy that was written to the domain (aka: Account Database) by the PDCe. Read my post “Fun and games with password policies.”

What is probably most confusing is when it actually impacts the user.  For example, if you change the minimum password length from 6 to 8 characters, the user will not notice that until the password is changed and may not notice if they already use 8 character or longer passwords.  

There are two timings here:

1) Immediate impact (kind of – the user may not notice unless it the password gets expired)

2) At next password change

From my testing these settings can be seen by the user without logon, logoff, reboot, or GPO refresh.  As soon as the policy is written and replicated (FGPP or Domain policy) changes to the following settings will be in effect and can impact immediately or very soon.

  • Minimum password age
  • Maximum password age
  • Lockout duration
  • Lockout threshold
  • Observation window

These settings are also in effect immediately, but users are not impacted until a password change occurs.

  • Minimum password length
  • Password must meet complexity requirements
  • Reversible encryption

Confused? I hope not. This is a good ending on password policies and should tie some loose ends up. Look forward to any questions or insights. You should also better understand the impact of modifying password policies.

Doug “I am done with passwords for a while” Gabbard