Manage password policies for AWS Managed Microsoft AD
AWS Managed Microsoft AD enables you to define and assign different password and account lockout
policies (also referred to as fine-grained password policies
Policy | Setting |
---|---|
Enforce password history | 24 passwords remembered |
Maximum password age | 42 days * |
Minimum password age | 1 day |
Minimum password length | 7 characters |
Password must meet complexity requirements | Enabled |
Store passwords using reversible encryption | Disabled |
* Note: The 42 day maximum password age includes the admin password.
For example, you can assign a less strict policy setting for employees that have access to low sensitivity information only. For senior managers who regularly access confidential information you can apply more strict settings.
The following are resources to learn more about Microsoft Active Directory fine-grained password policies and security policies:
AWS provides a set of fine-grained password policies in AWS Managed Microsoft AD that you can
configure and assign to your groups. To configure the policies, you can use standard
Microsoft policy tools such as Active Directory Administrative Center
How password policies are applied
There are differences in how the fine-grained password policies are applied depending on whether the password was reset or the password was changed. Domain users can change their own password. An Active Directory administrator or user with the necessary permissions can reset users passwords. See the following chart for more information.
Policy | Password Reset | Password Change |
---|---|---|
Enforce password history | ||
Maximum password age | ||
Minimum password age | ||
Minimum password length | ||
Password must meet complexity requirements |
These differences have security implications. For example, whenever a user's password is
reset, the enforce password history and minimum password age policies are not enforced. For more
information, see Microsoft documentation on the security considerations related to enforce password history
Topics
Related AWS Security blog article