Tag Archives: password complexity

Password complexity in Active Directory

Password complexity in Active Directory is something you either switch or off for your entire domain, right? It is right, but that does not mean that you have to enforce password complexity for all of your users. Instead you can use fine grained password policies to map certain password requirements for different users or groups. This kind of policy can not be linked to an OU as a GPO can, it is mapped directly against users or global security groups.

This was introduced in Windows 2008 and is a great way of managing different password requirements for different user groups. It will not let you configure what complexity actually means but there are various other options that you can configure, such as number of login attempts, password length, lockout period and more.

In Windows 2012 a new tool called Active Directory Administrative Center was introduced and this tool contains a GUI for configuring fine grained password policies. Managing fine grained password policies was previously done using either Powershell or ADSI-Edit. Now it can be done with a GUI which makes it easier for you as an administrator.

Password complexity prevents some of the worst passwords from being used, but still it allows a password such as P@ssw0rd as a valid complex password. Password complexity requirements depend on two things, making sure your users know how to construct a good complex password and also allows them to remember it. If those dependencies are not met, your users will most likely choose poor complex passwords or write them down. Either way, password complexity becomes quite useless and in the worst case, gives you a false sense of security.

Read more about Microsofts view on password complexity as well as how to implement fine grained password complexity policies using the Windows 2008 way, or the 2012 way.