Active Directory (AD) is configured with a default domain password policy. To view the password policy:
Fine-Grained Password Policies (FGPP) offer more flexibility by allowing different policies for different users or groups. Introduced in Windows Server 2008, FGPP lets administrators enforce stricter policies for service accounts or privileged users.
Check your risk with a free password audit. No key required, just download and run.
The maximum length of a password supported by AD is 256 characters. However, the maximum length of a password that a human user could actually type to log into Windows is 127 characters (the limitation is in the Windows GUI).
Password policies are used to configure how passwords should behave in the system. By default AD applies preset restrictions. Microsoft recommends the following default policy settings:
Best Practice Tip:
While these defaults offer a foundation, many organizations improve security by adjusting settings such as:
Make detecting and eliminating compromised passwords in Active Directory easy with a simple plug-in.
Passwords stored in AD are hashed. Meaning that once the user creates a password, an algorithm transforms that password into an encrypted output known as a “hash”. Hashes are of fixed size so passwords of different lengths will have the same number of characters. They are designed to be one-way encryption so that once they are coded, no one should be able to break that code (theoretically).
Note on Hashing:
AD supports both NTLM and Kerberos hashing. NTLM hashes are not salted, making them more vulnerable. Kerberos AES hashes, however, do incorporate salting for stronger protection.
The passwords are not salted in AD. They’re stored as a one-way hash. Hashing, primarily used for authentication, is a one-way function where data is mapped to a fixed-length value. Salting is an additional step during hashing, typically seen in association with hashed passwords, that adds an additional value to the end of the password that changes the hash value produced. However, a motivated hacker will be able to easily crack even hard hashes with salt when the user has chosen a very common password.
By default, the domain members have to submit a password change every 30 days. However, admins have the ability to shorten or lengthen this range.
Yes, you can check the Last Password Changed information for a user account in AD. The information for the last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.
PowerShell Alternative:
Microsoft’s Entra ID (formerly Azure Active Directory) blocks a limited set of weak and compromised passwords with no continuous monitoring. While it provides basic security, it relies on a static approach that only checks passwords at creation, leaving businesses vulnerable as new passwords get compromised over time.
If users aren’t receiving the expected Active Directory password settings:
Inconsistencies are often due to replication delays or overlapping group policies.
Overly strict Active Directory password rules—such as frequent resets, long character minimums, and forced complexity—often backfire. They lead to poor user behavior, such as:
Enzoic for Active Directory improves security by only blocking passwords that are truly risky—those found in breach corpuses or cracking dictionaries. Admins get visibility, users stay productive, and attackers get stopped at the source.
Explore free for up to 20 users. Save hours of admin time and simply get started.