Domain Password Change Policy In Windows 2008

I will break this entry in two posts. on the first post I will show you how to create and enable a password change policy on your domain using Windows server 2008, and in the second I will show you how to remind users to change their password when their password is about to expire. I assume your domain is healthy and already up and running.

a very important note if you have remote domain users. before enabling a password change policy, and your remote users ( outside your network ) have not changed their domain passwords for a long time, then you need to notify them to change their password before enabling the password change policy. otherwise they will not be able to access their e-mail ( if any ) or any other network resources they access on the network, because their domain accounts will be locked out. if you want to test your password change policy before implementing it, make sure all users are set to “password never expires” in AD:


also, before setting up and enabling a domain password policy you need to have already defined the type of policy you want to enforce. normally the requirements for such policies come from outside IT per organizational requirements. for example, before you start playing with the domain controller you should already have at least the following info:

  1. password age requirement
  2. minimum password length
  3. will you enforce users to include complex characters and symbols on their passwords?
  4. etc.

if you already have that info, then login to to your domain controller server, and open the Group Policy Management Editor. right-click on the Default Domain Policy and select edit. expand the Windows settings folder, and navigate to security settings. under Account Policies click on click on Password Policy:


once you click on the password policy applet on the right side of your screen, you will have the following 6 policy settings:

  1. Enforce password history on this policy you can set how many new passwords a user needs to use before he/she starts reusing an old password again. is always a good idea to set this number to at least 3. there are many users that keep reusing known passwords over and over again, just because is easier for them to remember.
  2. maximum password age this is the main policy. enter the number of days a domain password can be used before AD enforce the user to change the password . for example, if you want your users to change their password every 3 months, enter 90 on this policy.
  3. minimum password age on this policy you can specify how many days a password need to be used before the password can be changed again. set it to 0 if you want to allow users to change passwords immediately.
  4. minimum password length in this policy you need to specify the minimum password length you want your users to use. it is recommended to at least enforce users to use 6 characters on their passwords.
  5. password must be complexity requirements this policy is tightly integrated with the previous policy. it is highly recommended to enforce users to use a minimum 6 characters password, and include special characters, numbers, and symbols in it.
  6. store passwords using reversible encryption. This security setting determines whether the operating system stores passwords using reversible encryption. most of the time this policy is left as disable.

your overall password change policy should look like this:


now enforce the policy from the group policy management editor. right-click on the default domain policy object, and click on Enforced


that should enforce the password change policy throughout your network. pat yourself on the back, you’re done… now expect the phone to start ringing because some users cannot login to their computers.. is all good.