Supported policy settings - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Supported policy settings

Amazon Managed Microsoft AD includes five fine-grained policies with a non-editable precedence value. The policies have a number of properties you can configure to enforce the strength of passwords, and account lock-out actions in the event of login failures. You can assign the policies to zero or more Active Directory groups. If an end-user is a member of multiple groups and receives more than one password policy, Active Directory enforces the policy with the lowest precedence value.

Amazon pre-defined password policies

The following table lists the five policies included in your Amazon Managed Microsoft AD directory and their assigned precedence value. For more information, see Precedence.

Policy name Precedence
CustomerPSO-01 10
CustomerPSO-02 20
CustomerPSO-03 30
CustomerPSO-04 40
CustomerPSO-05 50

Password policy properties

You may edit the following properties in your password policies to conform to the compliance standards that meet your business needs.

You cannot modify the precedence values for these policies. For more details about how these settings affect password enforcement, see AD DS: Fine-grained password policies on the Microsoft TechNet website. For general information about these policies, see Password policy on the Microsoft TechNet website.

Account lockout policies

You may also modify the following properties of your password policies to specify if and how Active Directory should lockout an account after login failures:

  • Number of failed logon attempts allowed

  • Account lockout duration

  • Reset failed logon attempts after some duration

For general information about these policies, see Account lockout policy on the Microsoft TechNet website.


Policies with a lower precedence value have higher priority. You assign password policies to Active Directory security groups. While you should apply a single policy to a security group, a single user may receive more than one password policy. For example, suppose jsmith is a member of the HR group and also a member of the MANAGERS group. If you assign CustomerPSO-05 (which has a precedence of 50) to the HR group, and CustomerPSO-04 (which has a precedence of 40) to MANAGERS, CustomerPSO-04 has the higher priority and Active Directory applies that policy to jsmith.

If you assign multiple policies to a user or group, Active Directory determines the resultant policy as follows:

  1. A policy you assign directly to the user object applies.

  2. If no policy is assigned directly to the user object, the policy with the lowest precedence value of all policies received by the user as a result of group membership applies.

For additional details, see AD DS: Fine-grained password policies on the Microsoft TechNet website.