1
00:00:03,780 --> 00:00:08,790
Password policies are unique within group policy as they can only be set once per domain.

2
00:00:08,790 --> 00:00:14,030
This means that unlike any other policy these need to be set in a group policy that is applied at domain

3
00:00:14,250 --> 00:00:14,840
level.

4
00:00:14,850 --> 00:00:19,710
If for any reason there is more than one password policy in existence on a domain only one will have

5
00:00:19,710 --> 00:00:20,490
any effect.

6
00:00:20,520 --> 00:00:25,620
Although passwords assess on user accounts the settings for password policies are actually in the computer

7
00:00:25,620 --> 00:00:32,340
configuration options and can be found on the computer configuration policies window settings Security

8
00:00:32,340 --> 00:00:37,320
Settings Account policies password policy options here are as follows.

9
00:00:37,320 --> 00:00:38,830
Enforce password history.

10
00:00:38,900 --> 00:00:44,190
This stopped Password Reuse for example using a number to a password and then incrementing the number

11
00:00:44,250 --> 00:00:48,250
every time the password is changed rather than changing the password properly.

12
00:00:48,270 --> 00:00:52,710
Maximum password age just determines how often a user must reset their password.

13
00:00:52,740 --> 00:00:58,680
For example if this is set of 30 a user would have to change their passwords once every 30 days minimum

14
00:00:58,680 --> 00:00:59,670
password age.

15
00:00:59,690 --> 00:01:04,170
This determines how long the user must wait after changing their passwords before they can change it

16
00:01:04,170 --> 00:01:04,860
again.

17
00:01:04,860 --> 00:01:06,340
Minimum password length.

18
00:01:06,360 --> 00:01:11,550
This is the minimum length incorrect ID that a password must be in order to be accepted by the system.

19
00:01:11,580 --> 00:01:16,260
When setting or changing the password password must meet complexity requirements.

20
00:01:16,260 --> 00:01:21,240
This means that when a password is set it must meet the following requirements the user name must not

21
00:01:21,240 --> 00:01:26,060
be contained within the password the password must contain at least three out of the following five

22
00:01:26,070 --> 00:01:33,170
special character types uppercase letters lower case letters numbers special characters unicode characters.

23
00:01:33,210 --> 00:01:35,430
The next option here is store passwords.

24
00:01:35,430 --> 00:01:37,030
Using reversible encryption.

25
00:01:37,140 --> 00:01:42,360
This option allows passwords to be retrieved once set by certain applications but is normally disabled

26
00:01:42,360 --> 00:01:43,050
by default.

27
00:01:43,050 --> 00:01:48,450
In most organizations unless there are very specific circumstances within your company it's normally

28
00:01:48,450 --> 00:01:53,560
a bad idea to enable reversible encryption for passwords as it can have security implications.

29
00:01:53,580 --> 00:01:56,460
Should your network become compromised for any reason.

30
00:01:56,460 --> 00:02:01,440
Some examples of when this may need to be enabled by the existence of some legacy applications that

31
00:02:01,440 --> 00:02:05,220
require domain user authentication but that don't support encryption.

32
00:02:05,220 --> 00:02:10,830
Some examples being digest authentication on a web server or a custom software package that hasn't been

33
00:02:10,830 --> 00:02:12,020
updated for a while.

34
00:02:12,090 --> 00:02:17,430
Now that we've gone over password policies let's move on to policy differences between Windows versions.