Active Directory Passwords: Where to Find Password Complexity Requirements in Active Directory (AD)

Active Directory (AD) is configured with a default domain password policy. To view the password policy:

• Open the group policy management console.
• Expand Domains, your domain, then group policy objects.
• Right-click the default domain policy and click edit.
• Now navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAccount PoliciesPassword Policy.
• PowerShell Alternative:
  You can also use the following command to view the default domain password policy via PowerShell:
  Get-ADDefaultDomainPasswordPolicy

Fine-Grained Password Policies (FGPP) offer more flexibility by allowing different policies for different users or groups. Introduced in Windows Server 2008, FGPP lets administrators enforce stricter policies for service accounts or privileged users.

• To configure FGPP:
  Use Active Directory Administrative Center (ADAC) → System → Password Settings Container → New Password Settings Object
  Or with PowerShell:
  New-ADFineGrainedPasswordPolicy

Check your risk with a free password audit. No key required, just download and run.

How to Change/Reset a Password

• Open the Server Manager and then navigate to Tools -> Active Directory Users and Computers.
• Expand the Domain and go to Users.
• Right-click on the respective user, then Reset Password

How to Reset Your Administrator Password

• Open the Server Manager, then navigate to Tools -> Active Directory Users and Computers.
• Expand the Domain, then go to Users.
• Right-click on the Administrator user-> Reset Password.
• Once the password is reset you will need to sign out and back in for it to take effect.

How to Reset a User Password in Active Directory with PowerShell

• Run PowerShell as an administrator.
• Use the Set-ADAccountPassword cmdlet to change the user’s password:
• PowerShell: Set-ADAccountPassword -Identity $user -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “$newPass” -Force)
• Hit Enter.

What is the Maximum Password Length?

The maximum length of a password supported by AD is 256 characters. However, the maximum length of a password that a human user could actually type to log into Windows is 127 characters (the limitation is in the Windows GUI).

What is the Default Password Policy AD?

Password policies are used to configure how passwords should behave in the system. By default AD applies preset restrictions. Microsoft recommends the following default policy settings:

• Enforce Password History: 24
• Maximum password age: not set
• Minimum password age: 1 day
• Minimum password length: 14
• Password must meet complexity: Enabled
• Store passwords using reversible encryption: Disabled

Best Practice Tip:
While these defaults offer a foundation, many organizations improve security by adjusting settings such as:

• Minimum password length: 14+ characters
• Account lockout threshold: 5 invalid attempts
• Lockout duration: 15 minutes

Make detecting and eliminating compromised passwords in Active Directory easy with a simple plug-in.

Start protecting for free

How are Passwords Stored in Active Directory?

Passwords stored in AD are hashed. Meaning that once the user creates a password, an algorithm transforms that password into an encrypted output known as a “hash”. Hashes are of fixed size so passwords of different lengths will have the same number of characters. They are designed to be one-way encryption so that once they are coded, no one should be able to break that code (theoretically).

Note on Hashing:
AD supports both NTLM and Kerberos hashing. NTLM hashes are not salted, making them more vulnerable. Kerberos AES hashes, however, do incorporate salting for stronger protection.

Does Active Directory Salt Passwords?

The passwords are not salted in AD. They’re stored as a one-way hash. Hashing, primarily used for authentication, is a one-way function where data is mapped to a fixed-length value. Salting is an additional step during hashing, typically seen in association with hashed passwords, that adds an additional value to the end of the password that changes the hash value produced. However, a motivated hacker will be able to easily crack even hard hashes with salt when the user has chosen a very common password.

How Often is the Password for a Computer Account Changed by Active Directory?

By default, the domain members have to submit a password change every 30 days. However, admins have the ability to shorten or lengthen this range.

Can You Check the Last Password Change?

Yes, you can check the Last Password Changed information for a user account in AD. The information for the last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.

PowerShell Alternative:

• powershell
  (Get-ADUser username -Properties “PwdLastSet”).PwdLastSet

Is Microsoft Entra Password Protection Enough?

Microsoft’s Entra ID (formerly Azure Active Directory) blocks a limited set of weak and compromised passwords with no continuous monitoring. While it provides basic security, it relies on a static approach that only checks passwords at creation, leaving businesses vulnerable as new passwords get compromised over time.

Integrating Enzoic Keeps Organizations Secure

• Real-time monitoring: Continuously updates with the latest Dark Web breach data.
• Full credential checks: Assesses both usernames and passwords for compromise.
• Automated protection: Alerts users and forces password changes when a breach occurs.
• Seamless integration: Enhances security across cloud and on-prem environments.
• Credential intelligence: Identifies breach origin, type, and date of exposure.
• No software required on endpoints: Installed on domain controllers for silent background operation.

Troubleshooting Password Policy Issues in AD

If users aren’t receiving the expected Active Directory password settings:

• Run gpupdate /force on their machine
• Use gpresult /r to verify applied policies
• Check for replication issues with repadmin /replsummary
• Run Get-ADUserResultantPasswordPolicy to confirm which policy applies

Inconsistencies are often due to replication delays or overlapping group policies.

Balance Security with User Experience

Overly strict Active Directory password rules—such as frequent resets, long character minimums, and forced complexity—often backfire. They lead to poor user behavior, such as:

• Writing down passwords
• Reusing passwords across platforms
• Resorting to predictable patterns like “Welcome123!”

Enzoic for Active Directory improves security by only blocking passwords that are truly risky—those found in breach corpuses or cracking dictionaries. Admins get visibility, users stay productive, and attackers get stopped at the source.