Manage password policies for Amazon Managed Microsoft AD - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Manage password policies for Amazon Managed Microsoft AD

Amazon Managed Microsoft AD enables you to define and assign different password and account lockout policies (also referred to as fine-grained password policies) for groups of users you manage in your Amazon Managed Microsoft AD domain. When you create an Amazon Managed Microsoft AD directory, a default domain policy is created and applied to the Active Directory. This policy includes the following settings:

Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 42 days *
Minimum password age 1 day
Minimum password length 7 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled

* Note: The 42 day maximum password age includes the admin password.

For example, you can assign a less strict policy setting for employees that have access to low sensitivity information only. For senior managers who regularly access confidential information you can apply more strict settings.

The following are resources to learn more about Microsoft Active Directory fine-grained password policies and security policies:

Amazon provides a set of fine-grained password policies in Amazon Managed Microsoft AD that you can configure and assign to your groups. To configure the policies, you can use standard Microsoft policy tools such as Active Directory Administrative Center. To get started with the Microsoft policy tools, see Install the Active Directory Administration Tools for Amazon Managed Microsoft AD.

How password policies are applied

There are differences in how the fine-grained password policies are applied depending on whether the password was reset or the password was changed. Domain users can change their own password. An Active Directory administrator or user with the necessary permissions can reset users passwords. See the following chart for more information.

Policy Password Reset Password Change
Enforce password history No Yes
Maximum password age Yes Yes
Minimum password age No Yes
Minimum password length Yes Yes
Password must meet complexity requirements Yes Yes

These differences have security implications. For example, whenever a user's password is reset, the enforce password history and minimum password age policies are not enforced. For more information, see Microsoft documentation on the security considerations related to enforce password history and minimum password age policies.

Related Amazon Security blog article