How to manage your users' Windows passwords with Group Policy

You can enforce various policies to make sure your users meet certain requirements with their Windows passwords. Learn about some of the password-related settings in Group Policy.

hero-image

Passwords are always a frustrating catch-22 for any organization. Users would prefer to use simple Windows passwords that are easy to remember and type, but you want those passwords to be strong and complex as a way to protect your users and business. If you use Group Policy at your company, you can at least set certain password policies to ensure a minimum level of security. Here's how. (The following policies can be applied to Windows 7, 8.1, and 10 clients.)

1. Open your Group Policy editor. You may want to test this out on your current computer initially by using the local Group policy editor. You can then segue to your domain's Group Policy console when it's time to create and deploy the settings for everyone.

2. At the search field, type gpedit.msc.

3. At the Local Group Policy editor, navigate to the following setting: Computer Configuration | Windows Settings | Security Settings | Account Policies | Password Policy. You'll find the specific policies that you can set. Let's review each one.

SEE: How to reduce user account lockouts and password resets (free PDF) (TechRepublic)

Enforce password history. This policy restricts users from creating passwords they've already used. The purpose is to ensure any previous password that potentially may have been leaked or stolen is not reused. If you enable password history, you can set a specific number of previous passwords that cannot be reused, anywhere from 1 to 24 (Figure A).

Figure A

figure-a

Maximum password age. This policy forces users to change their passwords on a regular basis by expiring them after a certain period of time. The default is 42 days, but you can set this to anywhere from 1 day (not advisable!) to 999 days (Figure B).

Figure B

figure-b

Though the password expiration policy is one that many organizations use, you may want to think twice about adopting it. Remember that your users don't like passwords, and forcing them to have to create and remember a new password every few months is yet another burden that may not be necessary or effective. Even Microsoft has come out against this policy, stating that it wants to remove it as a baseline setting in the next version of Windows, specifically Windows 10 and Windows Server 1903, due out in late May.

As Microsoft has argued, the main purpose of password expiration is to ensure that a stolen or hacked password can no longer be used. But if a password has never been stolen, why force users to change it? And if you know a certain password has been stolen, you would change it immediately rather than wait until it expires. Your efforts are better spent configuring and enabling other password policies.

Minimum password age. This policy prevents a user from changing a password too quickly after creating a new one. In some ways, this is a follow-up to the password history setting. The goal is to prevent users from cycling through all their old passwords until they find one allowed by the policy. It's also designed to thwart hackers who may obtain an existing password and then reset it to one of their choosing. You can set it so that the password can be changed after anywhere from 1 day to 998 days (Figure C).

Figure C

figure-c

Minimum password length: This policy specifies the minimum number of characters required for a Windows password. You can set the length to anywhere from 1 to 20 characters (Figure D). The longer the password, the more difficult it is for a hacker to guess it through brute force attacks and other means. Many experts recommend a minimum password length of 12 characters, but remember to factor in your other password policies and methods when choosing an appropriate password length for your users.

Figure D

figure-d

Password must mean complexity requirements. This policy determines what types of characters are allowed and required for your user passwords (Figure E). If enabled, user passwords must:

  • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
  • Be at least six characters in length.
  • Contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (for example, !, $, #, %)

When setting this policy in conjunction with the minimum password length, you want to aim for the right balance between security and ease of use. A complex Windows password offers greater protection, but your users may be challenged to remember it along with all the other passwords they likely use. If you do establish a minimum password length and password complexity, you should provide help or tips for your users on how to create a secure password that they can more easily remember and use.

Figure E

figure-e

Store passwords using reversible encryption. This policy stores strong passwords using reversible encryption, an option that may be needed for applications that require knowledge of user passwords for authentication. However, this leaves your passwords more vulnerable, so you'll want to keep this policy disabled unless absolutely necessary (Figure F).

Figure F

figure-f

These are the core password policies, though you will find other password-related settings in Group Policy, including the ones for Account Lockout Policy and those for Security Options under Local Policies.

SEE: Password management policy (Tech Pro Research)

Also, keep in mind that the password policies offered through Group Policy only go so far. In its blog post about the password expiration policy, even Microsoft has acknowledged that "we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines." For that reason, you need to supplement your Group Policy settings with more advanced and sophisticated methods to ensure that your user passwords are as secure and as protected as possible.

Also see

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books—one on Windows and another on LinkedIn.