Section 8.5: Configuring Account Policies

8.5.1 Configuring Password Policy

Password Policy allows you to improve system security by controlling how passwords are created and managed. You can for example specify the maximum length of time a password can be used before the user has to change it. Requiring users to change their passwords regularly decreases the chances of an unauthorized person breaking into your computer. You can also specify a minimum password length and maintain a history of the passwords that a user has used. The latter prevents a user from having two passwords and alternating between them. Table 8.6 lists the password policy options that you can configure.

Table 8.6: Password Policy Options

Option Description
Enforce Password History Prevent the user for specifying a password that they had used previously. Windows Server 2003 can track up to 24 previously used passwords for each user. By default, this option is not enabled.
Maximum Password Age Specifies the number of days a user can log on with a particular password before he or she is required to change the password. The default value is 42 days and can be set to 999 days.
Minimum Password Age Specifies the number of days a user must keep a password before he or she can change it. The default is 0, which indicates that the password can be changed immediately. However, the minimum password age must be less than the maximum password age.
Minimum Password Length Specifies the minimum number of characters required in a password. This value can range from 0 up to 14 characters inclusive. A value of 0 indicates that no password is required and is the default value.
Passwords Must Meet Complexity Requirements Specifies that all passwords must meet the specified minimum password length; comply with the password history settings; contain capitals, numerals or punctuation; and cannot contain the user's account or full name.
Store Password Using Reversible Encryption For All Users In The Domain This option enables Windows Server 2003 to store a reversibly encrypted password for all users in the domain.

You can configure Password Policy on a computer running Windows Server 2003 by using Group Policy or Local Security Policy.

• Click on the START button

• Point to PROGRAMS

• Point to ADMINISTRATIVE TOOLS

• Expand ACCOUNT POLICIES

• Click PASSWORD POLICY

• Right-click the Password Policy Option that you want to configure

• Click SECURITY

• Set the Password Policy Option

• Click OK

8.5.2: Configuring Account Lockout Policy

The Account Lockout Policy settings also allow you to improve the security on your computer. If you do not have an account lockout policy in place, an unauthorized user can repeatedly attempt to gain access to your computer. If, however, you have set an account lockout policy, the system will lock out the user account under the conditions you specify in Account Lockout Policy. These conditions are listed in Table 8.7.

Table 8.7: Account Lockout Policy Options

Setting Description
Account Lockout Duration Specifies the number of minutes that the account is locked out for. A value of 0 indicates that the user account is locked out indefinitely until the Administrator unlocks the user account.
Account Lockout Threshold Specifies the number of invalid logon attempts it takes before the user account is locked out from logging on to the computer. A value of 0 indicates that the account will not be locked out.
Reset Account Lockout Counter After Specifies the number of minutes to wait before resetting the account lockout counter.