Security policies are rules that are configured to protect the resources on a computer or network. For additional information on Microsoft security policies, refer to the Microsoft Management Console help available in Local Security Settings.
 | Note: On a standalone system with Windows XP Professional, password policy settings are not enforced on ADAM instances. |
Password Policies
| Password Policy Settings | Description |
|---|---|
Enforce password history
|
Determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately when you configure the Minimum password age. |
Maximum password age
|
Determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. |
Minimum password age |
Determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 999 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age. Configure the minimum password age to be greater than 0 if you want Enforce password history to be effective. |
Minimum password length |
Determines the fewest number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. |
Password must meet complexity requirements |
Determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements:
Complexity requirements are enforced when passwords are changed or created. |
| Store password using reversible encryption for all users in the domain | Determines whether passwords are stored using reversible encryption.
This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using CHAP authentication through remote access or IAS services. It is also required when using Digest Authentication in Internet Information Services (IIS). |
Account Lockout Policies
| Account Lockout Settings | Description |
|---|---|
| Account lockout duration | Determines the number of minutes a locked-out account remains locked
out before automatically becoming unlocked. The available range is 1 to
99,999 minutes. You can specify that the account will be locked out until
an administrator explicitly unlocks it by setting the value to 0.
If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. This policy setting only applies when an Account lockout threshold is specified. |
| Account lockout threshold | Determines the number of failed logon attempts before a user account is locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 1 and 999 failed logon attempts, or you can specify that the account will never be locked out by setting the value to 0. |
| Reset account lockout counter after | Determines the number of minutes that must elapse after a failed logon
attempt before the failed logon attempt counter is reset to 0 bad logon
attempts. The available range is 1 minute to 99,999 minutes. If an account
lockout threshold is defined, this reset time must be less than or equal
to the Account lockout duration.
This policy setting only has meaning when an Account lockout threshold is specified. |