Microsoft Azure AZ-800 — Section 7: Implement and manage hybrid identities Part 6
62. Configure and manage AD DS passwords
Now, when it comes to managing your password requirements inside of AIDS, actor, director, domain services, that is going to be done by group policies. All right. And you’re going to do that on a domain controller and the domain controller is going to have a tool that is going to let you go in and edit your group policy objects and you’re going to set your password requirements based on that.
So first of all, business, of course, is to figure out what your password requirements are involving. Maybe, like maybe you want 10 character passwords. You want to make the users reset their password every 30 days. You want to make it where users can’t reuse the same passwords. You want to have complex passwords, uppercase lowercase numbers and symbols. You need to figure all that out and then what you’re going to do, you’re going to sit down at a domain controller such as this server. Here in my CDK1, I’m going to go to start, you know, my go to server manager. And then what? Server manager finishes loading up? We can go to the group policy management console tool.
So, we’re going to go to the tools menu and open up group policy management console. And from there, your passwords are configured inside of a GPO called the default domain controller. Defaults are in default domain policy.
Now you may not have all these other policies that I’ve got here. Don’t don’t worry about those. The only one that would matter right now. The one we’re talking about is the one called default domain policy. The default domain policy is the GPO that the group policy object, which is the object that’s going to be deployed out to all of your machines, that’s going to allow you to control your policy.
So, you know, right click that you’re going to click Edit. And then from there, you can go underneath computer configuration policies, windows, settings and then security settings and then account policies. And then here we are password policies.
OK, so password policies are set here. You have the following policies you have enforced password history. This makes it where the passwords a user can’t reuse the same password over and over and over again. In fact, in this case, it’s defaulted to 24 passwords, so a user would basically have to cycle through their password twenty four times where they can reuse one. You got maximum password age. That’s defaulted to 42 days. That’s the maximum of days they can keep a password before they have to change it. Then you have the minimum password age. That’s the minimum amount of days that they have to keep a password before they can change it. That’s it to one day by default. Yep, minimum password length, which is seven characters by default.
So, they have to have a seven character password. You’ve also got minimum password audit length audit. This going to enable auditing for your passwords. If you go here, this kind of a newer policy. That’s why I kind of wanted to illustrate this the policy that hadn’t been around. There’s a couple of policies that haven’t been around since the early days, and this one of them.
So, if you look here, minimum password length audit says the security setting determines the minimum password link which password link, password link, audit warning.
So, they’re getting a warning message.
OK. Then you can set it to a maximum of one hundred and twenty eight. All right. And so this just a warning message that tells you that you should only enable and configure the setting when trying to determine the potential impact of increasing the minimum password length setting. They tell you if it’s not defined, then basically the events aren’t going to be audited.
OK. If it’s defined in is less than or equal to the minimum password length, the audit events will also not be issued.
So that’s what that’s going to be. It’s going to enable the auditing feature below that you got password must meet complexity requirements. Complexity requirements require you to have an uppercase lowercase number and symbol. You have to have at least three of those four combinations uppercase characters, lowercase characters, numbers, symbols. You have to have at least three of those four things. A couple other this. This next policy here is also a new one. Relax minimum password length limits.
So you’ll notice that if you try to turn that all in here, you got modify. The setting may affect compatibility with client services. And if you click on this little link here that they give you, it’s going to take you to this little article and the article is going to talk a little bit about this and that this a relatively new feature. And they also tell you that it’s only supported essentially by the Windows 10 and higher operating systems.
OK. And so basically what you’re going to get here with the password length, auditing and enforcement is you’re setting the this policy is going to have to do back with this policy here. All right. And you’re going to set a minimum password length audit. Right here. We talked about that. And then if you enable the relaxed minimum password length here, they tell you that the settings are going to basically control a minimum password setting and can basically go between. You can go beyond the legacy limit, which was 14. All right. Also, they tell you this not defined, then the minimum password length may be configured to a maximum 14 and they tell you if the setting is defined and disabled, the minimum password length may be configured to a maximum of 14. And if the setting is defined as enabled, then the minimum password is going to be set to our minimum password. Length is going to be configured to 14. All right. And so these are just a couple of the newer things that were introduced to Active Directory just a few years ago. All right. Lastly, you have password store password using reverse encryption. This an old policy. It’s been around since the year 2000, and it was really important when Windows 2000 came out because in those days we still had some legacy computers running dos and things like that, and they could not authenticate using the level of encryption. They basically could not store their passwords encrypted on their machines. And so you had to enable this feature store passwords using universal encryption, and it meant that the password would not be encrypted on their machine. Keep in mind, turning this on is a security risk. It’s not something you should pretty much ever turn on nowadays. God forbid you still got some, you know, a dos computers in your environment. But if you did turn this on, even if you turn it off and you still have to go to individual users and turn it on there as well. In other words, I’d have to go and actor director uses computers, for example, and. I would have to open up the specific user that I’m wanting to do this with.
So, for example, I had a user named Joe France and I’d have to go to Joe France account and I’d have to turn it on here as well for that person.
So don’t worry if you were to turn this on, it’s not going to completely, you know, screw your whole domain over. By turning this on, you have to go to each individual user and turn it on there as well. Whichever user was perhaps using the that legacy computer or whatever. Over here, you’ve got to count lockout policy, so, they can’t lock up policy involves when an account would be lockout locked out after a certain number of attempts.
So you have the account lockout threshold that would be the number of temps that they get before they get locked out. And then if you set the account lockout duration, that’s the amount of time they would be locked out.
So, if I set this to 30 minutes, then let’s say we set the lockout threshold to three and then the lockout duration of 30 minutes. Then after three, about attempts put in their password and they’d be locked out for 30 minutes. You’ve also got the reset account lockout counter or after that is a timer that resets the strikes.
So the threshold is the amount of strikes. If you set it to three, let’s say you set the lockout contractor to five minutes so a person put their password in wrong once this counter would begin taking away, and then they put another password in another bad password. And that’s two. They have two strikes.
OK, well, let’s say the five minute counter ran out before the third strike was put in. It would reset the strike so, they could put in two more bad passwords before it would ever lock them out if they put it in the third.
OK, so that’s what all that has to do with.
OK. And so those are this your domain password policy. Keep in mind that you can only have one of those active at a time. You cannot you? You’ll notice that this attached to the domain and essentially at that domain level. You if you click on it, you can click on this group policy in here and it’s here and you can see whatever top GPIO views are based. If there’s ever a conflict, whatever top GPIO that’s at the top is the one you would get.
Now, ignore the enforced thing. Right now we’re not. We’re not getting into what that is, but you would want to make sure that and again, you may not have all of these, these shows that I’ve got. The only one that matters here is this one. But if you had multiple GPOs linked to your domain, the top one is the one that the password policies will come out of.
OK. Always. Of course, there is a way if you wanted to apply GPOs to a policy, sorry password policies to individual groups, you can do group based passwords as well, and that is known as what’s called fine grained password policies. You can do that by going into server manager tools, opening up the Ad Active Directory Administrative Center. All right. And this where you’re going to set there, so you’re not going to set it through your policy object, you’re going to set it through this tool. And so, If you go down here and there’s a little folder here called system. All right, and then there is this thing called password settings container. You can go into there and you can click new password settings and you can create password settings just for specific groups if you want.
So, if you do that, if you applied like, let’s say, I wanted us instead of seven characters for salespeople, I want to use 12 characters for salespeople or people. I could create a password settings object here and set the number to 12, and then I could apply it to the sales group right here.
OK. And so that’s how that would work.
So, it is possible to apply password policies directly to a group. By default, the password policies are going to go to the whole entire domain through that group policy that I showed you. But if you wanted to do individual groups, you can they call that fine grained password policies? OK. And so those are the different ways that you’re going to apply policies in your domain. Keep in mind if you’re, you know, you’re in a hybrid environment where you are, you’ve got an on-premise. Domain is connected to Azure 80 and all of that Microsoft 365 services. You can set password requirements in the cloud as well. However, they don’t take effect for hybrid users.
So, if you’re synchronizing on-premise users out to the cloud, you’re still going to need to set your password policies. For those users on-premise, you’re not going to configure those to the cloud, you’re going to configure those on-premise exactly the way I just showed you.