Share via

Passowrd requirments

john john Pter 1,305 Reputation points
2025-11-04T20:25:43.1266667+00:00

Can we force those password requirements:-

  1. Minimum of eight characters, incorporating a combination of uppercase and lowercase alphabetic characters, numerals, and special characters.
  2. Mandatory password changes for all users every three months

can we achieve this and how?

Exchange Online
Exchange Online
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
0 comments
Answer accepted by question author
  1. Sachith Lakmal 366 Reputation points
    2025-11-04T22:15:42.94+00:00

    Yes, you can absolutely enforce those password requirements using Group Policy in a Windows Active Directory (AD) environment.

    These settings are part of the built-in Account Policies within Group Policy, typically configured in the Default Domain Policy to affect all users in the domain.2

    Group Policy Settings to Enforce Requirements

    You will need to configure the following settings located in the Group Policy Management Console (GPMC) under:

    Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy

    1. Complexity Requirements (Minimum 8 Characters + 4 Categories)

    Your requirement of "Minimum of eight characters, incorporating a combination of uppercase and lowercase alphabetic characters, numerals, and special characters" is met by configuring two settings:

    Setting Value to Enforce Requirement Purpose
    Minimum password length 8 characters Enforces the minimum length.
    Minimum password length 8 characters Enforces the minimum length.
    Password must meet complexity requirements Enabled Enforces the combination rule. When enabled, the password must meet three of the four character categories: uppercase, lowercase, numbers (Base 10 digits), and special characters (non-alphanumeric).

    2. Mandatory Password Changes (Every Three Months)

    Your requirement of "Mandatory password changes for all users every three months" is met by setting the maximum password age.

    Setting Value to Enforce Requirement Calculation/Purpose
    Maximum password age 90 days This value forces the password to expire after 90 days (approximately 3 months), prompting the user to change it before they can log in.
    Maximum password age 90 days This value forces the password to expire after 90 days (approximately 3 months), prompting the user to change it before they can log in.
    Minimum password age (Recommended) 1 day This prevents users from quickly changing their password multiple times in a row to reuse an old one that is still stored in the history (see note below).

    Note on Password History: You should also ensure the Enforce password history setting is configured to a high value (like 24, the maximum available) to prevent users from immediately reusing recent passwords after the 90-day expiry forces a change.3

    How to Configure the Policy

    You must have administrative access to a Domain Controller or a system with the Group Policy Management Console (GPMC) installed.

    Open Group Policy Management Console (GPMC).

    Expand Forest 4$\to$ Domains 5$\to$ 6

    $$YourDomainName$$

    7$\to$ Group Policy Objects.8

    Right-click the Default Domain Policy and select Edit.

    _Best Practice Note: The Password Policy should be configured here, as it is the only GPO that applies these rules to all user accounts in the domain._9

    In the Group Policy Management Editor, navigate to the path:

    $$\text{Computer Configuration} \to \text{Policies} \to \text{Windows Settings} \to \text{Security Settings} \to \text{Account Policies} \to \text{Password Policy}$$

    Double-click each of the four settings listed in the tables above and set their respective values, clicking Apply and OK for each one.

    Once all settings are configured, the policy will be applied across your domain when Group Policy next updates (usually within 90-120 minutes, or immediately by running gpupdate /force on a Domain Controller).

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kavya 655 Reputation points
    2025-11-06T03:52:39.3966667+00:00

    If you’re using Active Directory: You can enforce these password requirements through Group Policy (GPO).

    Open the Group Policy Management Console (GPMC), select the appropriate GPO, and navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy. Here, you can configure all password-related settings, including complexity, length, and expiration.

    You can also use Fine-Grained Password Policies to apply different password requirements for different groups. For example, you can enforce stronger policies for privileged accounts while applying standard requirements for regular users.

    https://blog.admindroid.com/how-to-configure-fine-grained-password-policy-in-active-directory/

    If you’re using Microsoft 365: The default password policy already includes complexity requirements. You can further enhance it with Entra Password Protection to block common or custom passwords.

    To configure password expiration in Microsoft 365, go to: Microsoft 365 Admin Center → Settings → Org Settings → Security & Privacy → Password Expiration Policy, and set the desired number of days.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.