Enumerating Domain Password Policy

ActiveDirectoryDiscoverybeginnerT120112 min

Enumerating the domain password policy is a concrete discovery technique that directly informs credential attack decisions. This lesson explains how to retrieve the policy, what each setting means for attack planning, what the attacker gains from this information, and how to explain the findings in interviews, reports, and stakeholder conversations.

This lesson builds on

Active Directory Structure

Theory

Why It Matters

The domain password policy is one of the first things an attacker checks after gaining authenticated access because it determines what credential attacks are safe, feasible, and worthwhile. Spraying without checking the lockout policy can lock out hundreds of accounts; ignoring the minimum length means missing that offline cracking is viable. This is not background research — it is a concrete discovery step that changes every subsequent credential attack decision.

Preconditions

Retrieving the default domain password policy requires either authenticated domain user credentials (any privilege level) or, in misconfigured environments, an unauthenticated connection via SMB NULL session or LDAP anonymous bind. With credentials, the policy is available through LDAP queries, RPC calls, or built-in Windows commands. Fine-grained password policies require authenticated access and typically need permissions to read the Password Settings Container in AD.

Key Concepts

Lockout threshold and reset counter — the most operationally critical settings; a threshold of 5 with a 30-minute reset means one spray attempt per 35 minutes is safe; a threshold of 0 means no lockout (spraying is safer but still detectable)
Minimum password length — determines offline cracking viability; 8-character minimums are effectively crackable for common patterns; 14+ character minimums significantly raise the difficulty
Password complexity — AD complexity requires 3 of 4 character classes, but passwords like 'Spring2024!' meet this requirement and are trivially guessable; complexity is a floor, not protection
Fine-grained password policies (FGPPs) — per-group overrides that can set different requirements for service accounts, admin accounts, or specific OUs; a weak FGPP on service accounts undermines a strong default policy
Password history and maximum age — history prevents immediate reuse; maximum age forces rotation; long-unchanged passwords (or no expiration) increase the likelihood that current credentials are crackable
Unauthenticated retrieval — in misconfigured environments, the policy may be accessible via SMB NULL sessions or LDAP anonymous binds, giving the attacker this intelligence before they even have credentials

Why It Works

Active Directory stores the default password policy as attributes on the domain object, readable by any authenticated user via LDAP. The policy settings — minimum length, complexity requirements, lockout threshold, lockout duration, reset counter, password history, and maximum age — are designed to be accessible because domain-joined workstations and services need to enforce them locally.

An attacker exploits this accessibility to read the exact constraints that govern every account in the domain, turning defensive configuration into offensive intelligence. In misconfigured environments, the same data may be accessible without credentials through NULL sessions or anonymous LDAP binds.

What the Attacker Gains

The attacker gains a precise operational picture of what credential attacks are viable and safe. The lockout threshold and reset counter determine the maximum spray rate without triggering lockouts. The minimum length and complexity settings determine whether offline cracking of Kerberoasted or AS-REP roasted hashes is likely to succeed.

The password age setting indicates whether accounts may have long-unchanged, potentially weak passwords. Fine-grained policy data reveals whether service accounts or privileged groups have weaker requirements than standard users. This information transforms credential attacks from guesswork into calculated decisions.

Where It Fits in the Attack Chain

Password policy enumeration is one of the first discovery steps after obtaining domain user credentials. It sits at the beginning of the credential access preparation phase: before spraying, before evaluating Kerberoasting results, and before any other technique that depends on password strength assumptions.

In a realistic attack chain, the attacker enumerates the policy immediately after initial access, uses it to plan spray timing and target selection, and references it again when deciding whether cracked hashes from roasting attacks are likely to succeed.

Tools & Examples

CrackMapExec smb --pass-pol — retrieves the full domain password policy over SMB with or without credentials
rpcclient querydominfo — retrieves policy via RPC; works with NULL sessions on misconfigured DCs
net accounts /domain — Windows built-in command that displays the domain password policy from a domain-joined host
ldapsearch — LDAP query for the domain object's lockoutThreshold, minPwdLength, pwdProperties, and related attributes
PowerView Get-DomainPolicy — PowerShell-based retrieval of the default domain policy and fine-grained policies

Defender's Perspective

Enforce a minimum password length of 14 or more characters. This single change makes offline cracking of common password patterns significantly harder.
Implement fine-grained password policies for service accounts and administrative accounts that require longer passwords than standard users, not shorter ones.
Set a reasonable lockout threshold (5-10 attempts) with an appropriate reset window. A threshold of 0 (no lockout) removes one layer of spray protection.
Monitor for policy enumeration indicators: RPC calls to QueryDomainInfo, LDAP queries targeting lockout and password attributes from unusual sources.
Disable SMB NULL sessions and LDAP anonymous binds to prevent unauthenticated policy retrieval.

Communication

How to Explain It in an Interview

Password policy enumeration is one of the first things I do after gaining domain credentials because it directly determines what credential attacks are safe and viable. I retrieve the full policy — lockout threshold, reset counter, minimum length, complexity, and history — and calculate the maximum safe spray rate. If the lockout threshold is 5 with a 30-minute reset, I know I can attempt one password per 35 minutes per account without triggering lockouts.

The minimum length tells me whether Kerberoasting results are likely to crack: an 8-character minimum means common patterns are crackable, while 14+ characters significantly raises the bar. I also check for fine-grained policies, because the default may be strong while a per-group policy on service accounts is weak. The policy turns every subsequent credential attack from a guess into a calculated decision.

How to Explain It to a Stakeholder

Password policy enumeration is when an attacker reads your domain's password rules to plan their credential attacks.

With any employee-level account, an attacker can see exactly how long passwords must be, how many failed login attempts trigger a lockout, and how long the lockout lasts. This tells them whether they can safely try common passwords across all accounts, and whether stolen password hashes from other techniques are likely to be crackable. The risk is not that the policy is secret — it is not — but that weak settings (short minimum length, high lockout tolerance, no fine-grained policies for privileged accounts) directly enable the credential attacks that follow.

How It Might Appear in a Report

Finding: Weak Domain Password Policy Enables Credential Attacks. The assessor enumerated the default domain password policy and identified the following settings: minimum length of 8 characters, complexity enabled, lockout threshold of 5 attempts with a 30-minute reset. No fine-grained password policies were configured for service accounts or administrative accounts. The 8-character minimum, combined with standard complexity rules, allows common password patterns (e.g., Season+Year+Symbol) that are crackable via offline dictionary attacks against Kerberoasted service ticket hashes. The lockout configuration permits safe password spraying at a rate of one attempt per 35 minutes.

Severity: Medium.

Recommendation: Increase minimum password length to 14 characters. Implement fine-grained password policies requiring 25+ characters for service accounts. Consider reducing the lockout threshold to 3 attempts.

Common Weak Answers

Describing policy enumeration as 'I check the password policy' without explaining what specific settings matter, why they matter, or how they change the attack plan.
Knowing that lockout threshold exists but not being able to calculate a safe spray rate from it. The math is straightforward: one attempt per reset window with a safety margin.
Claiming that complexity requirements make passwords strong. AD complexity only requires 3 of 4 character classes. Passwords like 'Password1!' and 'Winter2024#' meet complexity but are trivially crackable.
Not mentioning fine-grained password policies. The default domain policy is only one layer. FGPPs can override it per group, and attackers check whether privileged accounts have weaker requirements.
Treating policy enumeration as passive information gathering rather than an active technique that changes every subsequent attack decision.

Likely Follow-Up Questions

How would you calculate a safe spray rate from a policy with a lockout threshold of 5 and a 30-minute reset counter?
Why does an 8-character minimum with complexity still allow crackable passwords?
What is a fine-grained password policy, and why would an attacker specifically look for one?
Can you retrieve the password policy without credentials? Under what conditions?
How would you explain to a client that their password policy directly enabled the credential attacks you performed?

Study Kit