All About Active Directory Passwords
Where to find password complexity requirements in Active Directory
AD is configured with a default domain password policy. To view the password policy:
- Open the group policy management console.
- Expand Domains, your domain, then group policy objects.
- Right-click the default domain policy and click edit.
- Now navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy.
How to change/reset a password in Active Directory
- Open the Server Manager and then navigate to Tools -> Active Directory Users and Computers.
- Expand the Domain and go to Users.
- Right-click on the respective user, then Reset Password
How to reset your administrator password in Active Directory
- Open the Server Manager, then navigate to Tools -> Active Directory Users and Computers.
- Expand the Domain, then go to Users.
- Right-click on the Administrator user-> Reset Password.
- Once the password is reset you will need to sign out and back in for it to take effect.
How to reset a user password in Active Directory with PowerShell
- Run PowerShell as an administrator.
- Use the Set-ADAccountPassword cmdlet to change the user’s password: Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force)
- Hit Enter.
What is the maximum password length in Active Directory?
The maximum length of a password supported by AD is 256 characters. However, the maximum length of a password that a human user could actually type to log into Windows is 127 characters (the limitation is in the Windows GUI).
What is the default password policy Active Directory?
Password policies are used to configure how passwords should behave in the system. By default AD applies preset restrictions. Microsoft recommends the following default policy settings:
- Enforce Password History: 24
- Maximum password age: not set
- Minimum password age: not set
- Minimum password length: 14
- Password must meet complexity: Enabled
- Store passwords using reversible encryption: Disabled
How are passwords stored in Active Directory?
Passwords stored in AD are hashed. Meaning that once the user creates a password, an algorithm transforms that password into an encrypted output known as a “hash”. Hashes are of fixed size so passwords of different lengths will have the same number of characters. They are designed to be one-way encryption so that once they are coded, no one should be able to break that code (theoretically).
Does Active Directory salt passwords?
The passwords are not salted in AD. They're stored as a one-way hash. Hashing, primarily used for authentication, is a one-way function where data is mapped to a fixed-length value. Salting is an additional step during hashing, typically seen in association with hashed passwords, that adds an additional value to the end of the password that changes the hash value produced. However, a motivated hacker will be able to easily crack even hard hashes with salt when the user has chosen a very common password.
How often is the password for a computer account changed by Active Directory?
By default, the domain members have to submit a password change every 30 days. However, admins have the ability to shorten or lengthen this range.
Can you check the last password change in Active Directory?
Yes, you can check the Last Password Changed information for a user account in AD. The information for the last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.