Define minimum and maximum password age for Windows

We have already reported on the various options for setting password guidelines in the past. Today we would like to show you how to do this using the Windows Security Policy

Minimum and maximum password ages

can set. All necessary settings can be found in the Windows security guidelines (secpol.msc) in the area

Security Settings / Account Policies / Password Policy

Below you can see the setting options in the Secpol editor.

Minimum and maximum password age

With these two password guidelines you can now set the minimum and maximum password age of the user accounts. Of course, you should make sure that the number of days of the minimum password age is not greater than the number of days for the maximum password age.

Microsoft has released the following information about both password policies.

Minimum password age

This security setting specifies the amount of time (in days) that a password must be used before the user can change the password. You can set a value between 1 and 998 days , or you can allow the password to be changed immediately by setting the number of days to 0.

The minimum password age must be lower than the maximum password age, unless the maximum password age is set to 0 , which means the passwords never expire . If the maximum password age is set to 0, the minimum password age can be set to a value between 0 and 998.

Set the minimum password age to greater than 0 if you want the Enforce Password History security policy to take effect. Without a minimum password age, users can change their passwords repeatedly in quick succession until they can use an old favorite password again. By default, this recommendation is not followed so that an administrator can set a password for a user and then prompt the user at login to change the password defined by the administrator. If the password policy is set to 0, the user does not need to set a new password. For this reason, “Force Password History” is set to 1 by default.

Default
value : 1 for domain controllers.
0 for standalone servers.

Note: By default, member computers use the configuration of their domain controllers.

Maximum password age

This security setting specifies the amount of time, in days, that a password can be used before the system prompts the user to change the password. You can choose to have passwords expire after the specified number of days (between 1 and 999 days), or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the minimum password age must be lower than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Note: It is a best practice to set the password to be between 30 and 90 days, depending on the environment. In this way, an attacker has only a limited amount of time to crack a user password to gain access to network resources.

Default value: 42

Finally, we have listed more information on the subject of “Windows passwords / passwords”.

– Windows password must meet certain password guidelines – Increase security
– Change Windows password for Windows 10
– Set minimum password length for Windows
– Lock and restart computer after entering an incorrect password several times
– Automatically lock Windows after invalid logins
– Create or change password security questions for Windows 10
– Manage, edit or delete saved passwords in the Edge Browser
– Hide the button for displaying the Windows password in Windows 10
– Delete cookies, form data and passwords in the Edge Browser
– Deactivate Windows 10 password query on Surface after pressing the Power button
– WLAN password in plain text display via DOS command
– reset Windows password of a Hyper-V VM
– reset administrator password

administrator