Monitoring Password Policy Changes

Active Directory | October 15, 2015 | 2 min read

Strong and consistent password policies are essential for any corporation. Without a solid password policy, attackers have one more avenue to gain access to the network and resources. Windows Active Directory provides an easy way to configure a password policy that will force all Active Directory users to have strong passwords.

This password policy is configured in the Default Domain Policy, which is one of the two default Group Policy Objects (GPOs) that are configured when you install Active Directory. The password policy can be configured in any GPO linked to the domain, so you can’t be 100 percent confident that the Default Domain Policy is the GPO containing the password policy settings that are in effect. In order for you to know which GPO(s) are being used to configure the password policy, you can run the Group Policy Results option in the Group Policy Management Console for any user, on any domain controller. Figure 1 shows the results of this query.

password monitor figure 1

Figure 1. Password policy results using Group Policy Results.

Track password policy changes along with previous policy values using ADAudit Plus. Try it now, Download free trial.

Now that you have the current password policy configurations, you only need to monitor when these settings change. Unfortunately, trying to do this using a Microsoft tool that comes with Active Directory or Windows Server is rather difficult as it would be manual and laborious. Fortunately, if you use a tool like ADAudit Plus, it is very simple.

ADAudit Plus has a pre-defined report that shows you if the password policy changes. You can see this report in Figure 2.

password monitor figure 2

Figure 2. ADAudit Plus built-in report for password policy changes.

As you can see in the report, each change that occurs in any GPO will appear. Therefore, you simply need to look for changes in your GPOs (in the Group Policy Results report) to find any changes to the active password policy for domain users.

As a final option, you can set up an alert (dashboard or email) to notify you when the password policy changes in any GPO. This is essential to be aware of when the domain password policy changes or even local password policy changes for servers. You can see how this alert would be set up in Figure 3.

password monitor figure 3

Figure 3. Alert for password policy changes report.

Keeping track of your domain password policy, knowing the current settings, and being alerted when any change occurs to the password policy settings is pivotal to running your business smoothly. This can all be completely controlled using ADAudit Plus.