Configure Domain and Local Password Policy Settings
Learn On Demand
Learn On Demand Pro Series

Time
1 hour
Difficulty
Beginner

This IT Pro Challenge hands-on lab teaches you how to configure both local and domain password policies using the Group Policy Editor and the Group Policy Management Console (GPMC), respectively. You will also learn how to implement a fine-grained password policy. You will use a provided user account to test the different password policies.

Start your free 3-day trial and become one of the 3 million Cybersecurity and IT professionals advancing their career goals

Sign up with
Or

Already have an account? Sign In »

Overview

In this IT Pro Challenge, learners will first use the Group Policy Editor to configure local password policies and then use the Group Policy Management Console (GPMC) to configure a domain password policy. Finally, you will learn how to configure and implement a fine-grained password policy. As a proof of concept, you will use a provided user account to test that the various password policies are being enforced correctly. The skills acquired in this lab are useful for a career as a Windows Server or system administrator.

Overview

The scenario for this lab is that you are a Windows Server administrator tasked with managing your company’s Active Directory Domain Services (AD DS) environment. To do this, you need to configure local and domain password policies. You will begin by configuring and testing a local password policy using the local Group Policy editor. Then you will configure and test a domain password policy using the Group Policy Management Console (GPMC). Finally, you will implement a fine-grained password policy.

Configure local password policy settings by using the local Group Policy editor

To begin the lab, you will launch the local Group Policy editor (gpedit.msc) and navigate to the Password Policy under Computer Configuration to view the local password policy settings. There, you will make several changes. You will set the minimum password length to seven characters and disable the Password must meet complexity requirements setting. Then you will change the password for a user (Mike Nash).

NOTE: Local group policy settings are applied to the local computer when it’s not connected to a domain. Group Policy Objects (GPOs) are processed in order: local, site, domain, and organizational unit (OU). Domain-level GPO settings take precedence over a local policy setting. The following settings make up the password policy:

  • Enforce password history.
  • Maximum password age.
  • Minimum password age.
  • Minimum password length.
  • Password must meet complexity requirements.
  • Store passwords using reversible encryption.

Configure domain account password policy settings by using the Group Policy Management Console

Now you will sign into another virtual machine and use the GPMC to set the minimum password length to 10 characters and enable the Password must meet complexity requirements setting. Then you will switch back to the first virtual machine (SVR1) and join the computer to a provided domain. Then, back on the other virtual machine (DC1), you will configure the Mike Nash user account to require a password change.

Configure fine-grained password policies by using the Active Directory Administration Center

You can use fine-grained password policies to apply password settings to privileged accounts. Fine-grained password settings can differ from those in the domain policy. These policies are saved in a password settings container rather than a GPO. A fine-grained password policy cannot be directly applied to an OU.

Finally, on the DC1 virtual machine, you will configure a fine-grained password policy (High Security Password Policy) with a precedence of 1 to require a 20-character password for members of the HR Admins group. To do this, you will use the Active Directory Administrative Center. You will add the Mike Nash user account to the HR Admins security group and force a password change upon login. As a proof of concept, you will try to sign in as Mike Nash and choose a password less than 20 characters. The login should fail because the Mike Nash account is required to have a 20-character password.

Summary Conclusion

By taking this lab, you will learn how to use the Local Group Policy Editor to configure the local password policy, configure a domain password policy, and configure a fine-grained password policy using the Active Directory Administrative Center. As a proof of concept, you will test your changes using a provided user account to verify that password rules are working properly.