Privileged Active Directory accounts such as Domain Admin and Exchange Admin should have more complex passwords compared to regular user accounts. Privileged accounts, such as Domain Admin, Enterprise Admin, Schema Admin and Exchange Admin member accounts or accounts with elevated AD delegated access rights, have higher levels of authority and control over Active Directory, Microsoft Exchange and sensitive data, and member servers. Therefore, securing these accounts with stronger passwords is an important security practice.
Here are some reasons why privileged accounts should have more complex passwords:
Increased Security: Complex passwords are harder to guess or crack through automated or manual password attacks. By using a combination of uppercase and lowercase letters, numbers, and special characters, the password becomes more resistant to brute-force and dictionary-based attacks.
Mitigating Credential-Based Attacks: Privileged accounts are often targeted by cybercriminals seeking unauthorized access to sensitive systems or data. By enforcing complex passwords, organizations can reduce the risk of successful credential-based attacks, such as password guessing, password spraying, or credential stuffing.
Defense Against Password Cracking Techniques: Sophisticated attackers may attempt to crack passwords using advanced techniques, including offline password cracking. Complex passwords, with a sufficient number of characters and complexity requirements, make it significantly more difficult and time-consuming to crack through such methods.
Compliance Requirements: Many industry regulations and security frameworks mandate the use of strong passwords for privileged accounts. Adhering to these requirements helps organizations demonstrate compliance and meet security standards.
Defense in Depth: Complex passwords serve as one layer of defense in a broader security strategy. It is important to complement password complexity with additional security measures, such as multi-factor authentication (MFA), privileged access management (PAM), and regular monitoring of privileged account activities.
Time required to crack a password based on complexity
Microsoft Active Directory, a PSO (Password Settings Object) is an object used to define specific password policies for a set of users or groups within an Active Directory domain. A PSO allows administrators to customize password policies beyond the default domain password policy.
Here are some key points about Active Directory PSOs:
Customized Password Policies: By default, Active Directory has a single password policy that applies to all user accounts within a domain. However, with PSOs, administrators can define additional password policies tailored to specific sets of users or groups. This allows for more granular control over password requirements and enforcement.
Password Policy Parameters: PSOs define various parameters for password policies, including password complexity requirements, minimum and maximum password length, password history, password expiration, and account lockout thresholds. These parameters can be customized to meet specific security and compliance needs.
Application to Users or Groups: PSOs can be applied to individual user accounts or groups of users within an Active Directory domain. This flexibility allows administrators to enforce different password policies based on user roles, departments, or other organizational criteria.
Multiple PSOs per Domain: A domain can have multiple PSOs defined, each with its own unique set of password policy parameters. This allows administrators to have different policies for different sets of users or groups within the same domain.
Precedence and Inheritance: When multiple PSOs apply to a user or group, the PSO with the highest precedence takes effect. The precedence can be defined based on the PSO’s link order or based on an explicit assignment to a user or group. PSOs can also inherit settings from a default domain policy.
Administrative Control: Creating and managing PSOs typically requires administrative privileges in Active Directory. Only users with appropriate permissions can create, modify, or link PSOs within the domain.
Enhancing Security and Compliance: Active Directory PSOs offer a way to enforce stronger password policies for specific users or groups, helping enhance security and meet regulatory compliance requirements. By setting more stringent password requirements, organizations can improve their overall security posture and reduce the risk of unauthorized access.
It’s worth noting that the use of PSOs requires a functional level of the Active Directory domain of Windows Server 2008 or later. Additionally, the specific steps to create and manage PSOs may vary depending on the version of Windows Server and the administrative tools being used.
How to create a PSO:
To create an Active Directory Password Settings Object (PSO), you can follow these steps:
1. Navigate to AD Admin Center > System>Password Settings Container
How to create a password settings container
2.Create new password setting object in tasks
Configure password complexity and account lockout requirements
And in section “Directly Applies To” chose a group that the PSO will apply to.
Set a name and a precedence of the policy. The precedence is the policy object application order. If there are multiple PSOs the ordering takes place IF a user is in multiple groups.
PSO AD group assignment
You can also add members to the group by double-clicking the group and adding members, or you can do it in Active Directory users and computers.
Hit OK and the PSO is now created
AD PSO settings
