Password Policy

The password policy helps ensure that a user's password is strong and is changed periodically so that it becomes impossible for an attacker to crack the password.

By default, the password policy is configured like this:

Policy

Default value

Enforce password history

24 passwords

Maximum password age

42 days

Minimum password age

1 day

Minimum password length

Password must meet complexity requirements

Enabled

Store passwords using reversible encryption

Disabled

Account lockout duration

Not set

Account lockout threshold

Reset account lockout counter after

Not set

From an attacker's point of view it is useful to list the password policy in force on the domain and then be able to do either:

Bruteforce
Guessing
Spraying
Cracking

cme smb 192.168.1.0/24 -u <USERNAME> -p '<PASSWORD>' --pass-pol

net accounts

get-addomain | get-adobject -propertcies * | select *pwd*er

This command gets the default password policy for the specified domain.

Get-ADDefaultDomainPasswordPolicy -Identity domain.local

Get-DomainPolicy

PreviousNetwork Shares NextEnumeration

Last updated 8 months ago