> For the complete documentation index, see [llms.txt](https://docs.lapluu.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.lapluu.com/homelab/active-directory-domain-controller/group-policy-object.md).
# Group Policy Object
## Objectives
* Enforce password policy including password complexity, password expiration, account lockout.
## Enforce Password Policy
I first opened Group Policy Management Console (GPMC), and then I navigated to
Default Domain Policy and selected edit.
{% hint style="info" %}
The Default Domain Policy is where password policies are set because when enabled, it applies setting across all users in the domain.
{% endhint %}
Within Group Policy Management Editor, I navigated to **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies> Password Policy.**
This is my password policy settings:
* **Enforce password history:** I set it to 10 to prevent reusing the old password.
* **Maximum password age:** I set 60 days before it is required to change the password**.**
* **Minimum password age:** I think 1 day is pretty good.
* **Minimum password length:** 8 characters should be the minimum.
* **Password must meet complexity requirements:** Enabled, the password should include a mix of uppercase and lowercase letters, numbers, and special characters.
* **Store password using reversible encryption:** Disabled because this option allow the password to be decrypted, which pose a security risk.
#### Configuring Account Lockout Policy
Brute-force attacks are really common, and this policy should be configured to protect against the attacks.
I navigated to **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies> Account Lockout Policy.**
For these policy settings, I configured:
* **Account lockout duration:** An account will be locked for 30 minutes after reaching the lockout threshold.
* **Account lockout threshold:** The number of failed login attempts should be 3-5 times before the account is locked out.
* **Reset account lockout counter after:** I set 15 minutes after a failed login attempt.
Once finished, I clicked **Apply** and close the Editor.
To update the Group Policies settings, I opened PowerShell as administrator, and run the following command `gpupdate/ force`
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.lapluu.com/homelab/active-directory-domain-controller/group-policy-object.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.