Windows Minimum Password Age

Maybe your like

WinSecWiki > Security Settings > Account Policies > Password Policy > Minimum Age

This setting allows you to limit how frequently a user may change his password. Normally the reason for using this setting is to prevent users, upon password expiration, from repeatedly changing their password to force the system to forget their favorite password overwriting the system’s password history for the account as defined by the password history setting.

Setting this control to zero disables it. Otherwise this setting must range between one and 998 days. If maximum password age is greater than zero, this control must be less than maximum password age.

As with all of these password policies this control can be a two edged sword. In this case a user could be prevented from changing their password when they suspect or are certain that someone else knows their password. For instance a manager while out of town desperately needs to access some information on his desktop network and resorts to sharing his password with a subordinate. A day or two later having returned to the office, he attempts to change his password but this policy prevents him and he subsequently forgets about it. Of course one could argue that he should never have shared the password in the first place but humans will be humans.

Bottom line

I think, if your overall passwords strategy requires you to depend on enforcing password history then you should use this setting as well. In that case I recommend the value of two days.

Upcoming Webinars

AD Certificate Services: A Massive Chunk of Windows Security Functionality Finally Gets the Security Research It Deserves
Linux Security: Locking Down Admin Access with SSH and Sudo
Understanding Broken Object Level Authorization: The Quiet Access Control Failure Undermining Today’s Apps
Patching 3rd Party Apps on PCs Managed by Intune

Additional Resources

Tag » Active Directory Minimum Password Age

Windows Minimum Password Age

Bottom line

Minimum Password Age (Windows 10) - Security - Microsoft Docs

Minimum Password Age - Microsoft Docs

Configuring A Domain Password Policy In The Active Directory

In Active Directory, Users Minimum Password Age Is 1 Day

Setting Minimum Password Age To 2 Days - ManageEngine

Active Directory Password Attribute: Ms-DS-Minimum-Password-Age

1.1.3 Ensure 'Minimum Password Age' Is Set To '1 Or More Day(s)'

Password Policy Best Practices For Strong Security In AD - Netwrix

How To Set And Manage Active Directory Password Policy

What Is The Purpose Of The "Password Minimum Age" Setting?

The Minimum Password Age Must Be Configured To At Least 1 Day.

Windows Server 2019 Minimum Password Age Must Be Configured ...

How To Configure A Password Policy - An Overview & Guide

Active Directory Password Reset Best Practices - Help Net Security

Contact