Do you still need a Password Policy nowadays?

🛠️ Practical Bits

𝗗𝗼 𝘆𝗼𝘂 𝘀𝘁𝗶𝗹𝗹 𝗻𝗲𝗲𝗱 𝗮 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗣𝗼𝗹𝗶𝗰𝘆 𝗻𝗼𝘄𝗮𝗱𝗮𝘆𝘀?

Yes — even if you use MFA or passwordless options.

In Active Directory there are always 𝗲𝘅𝗰𝗲𝗽𝘁𝗶𝗼𝗻𝘀: service accounts, temporary accounts, break-glass accounts, newly created users… and those still rely on passwords. Strong password + lockout policies 𝗿𝗮𝗶𝘀𝗲 𝘁𝗵𝗲 𝗯𝗮𝗿 against password spraying and brute force.

✅ Here’s a simple checklist you can apply today:

1️⃣ 𝗢𝗻𝗲 𝗯𝗮𝘀𝗲𝗹𝗶𝗻𝗲 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱 + 𝗹𝗼𝗰𝗸𝗼𝘂𝘁 𝗽𝗼𝗹𝗶𝗰𝘆 (domain-wide)

Make sure you have one policy for the whole domain (use CIS/NIST as a reference, or your standard).

→ And no — 𝘆𝗼𝘂 𝗰𝗮𝗻’𝘁 “𝘀𝘁𝗮𝗰𝗸” multiple GPOs for the default domain password/lockout policy.

2️⃣ 𝗙𝗶𝗻𝗲-𝗚𝗿𝗮𝗶𝗻𝗲𝗱 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗣𝗼𝗹𝗶𝗰𝗶𝗲𝘀 (FGPP) for privileged + service accounts

If you can, create one or more FGPPs for:

• 𝗽𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲𝗱 admin accounts

• 𝘀𝗲𝗿𝘃𝗶𝗰𝗲 accounts

These often need stricter settings (especially length). FGPP is scoped to groups/identities, which is exactly what you want.

❗Don’t forget the hard part: 𝗲𝗻𝗳𝗼𝗿𝗰𝗲𝗺𝗲𝗻𝘁

Having a policy is only step one — you still need to make accounts comply. They will change their passwords as expiration goes. But you also want to make sure there are 𝗻𝗼 𝘀𝘁𝗮𝗹𝗲, 𝗶𝗻𝗮𝗰𝘁𝗶𝘃𝗲 and other kind of accounts with 𝗵𝗶𝘀𝘁𝗼𝗿𝗶𝗰 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀.

Start by finding accounts that haven’t changed passwords in a long time (e.g., 1 year+) and review Password Never Expires.

____

𝗣𝗼𝘄𝗲𝗿𝗦𝗵𝗲𝗹𝗹 (𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝘀 𝘄𝗶𝘁𝗵 𝗽𝗮𝘀𝘀𝘄𝗼𝗿𝗱 𝗼𝗹𝗱𝗲𝗿 𝘁𝗵𝗮𝗻 𝟭 𝘆𝗲𝗮𝗿):

Get-ADUser -Filter ‘enabled -eq $true’ -Properties Name, PwdLastSet,lastlogonTimestamp | select name, @{N=’pwdlastset’ ; E={[DateTime]::FromFileTime($_.PwdLastSet)}}, @{N=’LastLogonTimestamp’ ; E={[DateTime]::FromFileTime($_.lastlogonTimestamp)}} | Where-Object {$_.PwdLastSet -le $(Get-Date -date $(get-date).AddDays(-365))} | Sort-Object -Property PwdLastSet

____

(𝙊𝙧 𝙪𝙨𝙚 𝙢𝙮 𝙛𝙧𝙚𝙚 𝘼𝘿𝙋𝙧𝙤𝙗𝙚 𝙩𝙤𝙤𝙡)

That’s it — one small move, but a real step toward a safer AD.