TTechniqueActiveDirectory
Enumerating the domain password policy is a concrete discovery technique that directly informs credential attack decisions. This lesson explains how to retrieve the policy, what each setting means for attack planning, what the attacker gains from this information, and how to explain the findings in interviews, reports, and stakeholder conversations.
The domain password policy is one of the first things an attacker checks after gaining authenticated access because it determines what credential attacks are safe, feasible, and worthwhile. Spraying without checking the lockout policy can lock out hundreds of accounts; ignoring the minimum length means missing that offline cracking is viable. This is not background research — it is a concrete discovery step that changes every subsequent credential attack decision.
Retrieving the default domain password policy requires either authenticated domain user credentials (any privilege level) or, in misconfigured environments, an unauthenticated connection via SMB NULL session or LDAP anonymous bind. With credentials, the policy is available through LDAP queries, RPC calls, or built-in Windows commands. Fine-grained password policies require authenticated access and typically need permissions to read the Password Settings Container in AD.
Microsoft · Official Microsoft reference for domain password policy settings and lockout configuration
Active Directory stores the default password policy as attributes on the domain object, readable by any authenticated user via LDAP. The policy settings — minimum length, complexity requirements, lockout threshold, lockout duration, reset counter, password history, and maximum age — are designed to be accessible because domain-joined workstations and services need to enforce them locally.
An attacker exploits this accessibility to read the exact constraints that govern every account in the domain, turning defensive configuration into offensive intelligence. In misconfigured environments, the same data may be accessible without credentials through NULL sessions or anonymous LDAP binds.
The attacker gains a precise operational picture of what credential attacks are viable and safe. The lockout threshold and reset counter determine the maximum spray rate without triggering lockouts. The minimum length and complexity settings determine whether offline cracking of Kerberoasted or AS-REP roasted hashes is likely to succeed.
The password age setting indicates whether accounts may have long-unchanged, potentially weak passwords. Fine-grained policy data reveals whether service accounts or privileged groups have weaker requirements than standard users. This information transforms credential attacks from guesswork into calculated decisions.
Password policy enumeration is one of the first discovery steps after obtaining domain user credentials. It sits at the beginning of the credential access preparation phase: before spraying, before evaluating Kerberoasting results, and before any other technique that depends on password strength assumptions.
In a realistic attack chain, the attacker enumerates the policy immediately after initial access, uses it to plan spray timing and target selection, and references it again when deciding whether cracked hashes from roasting attacks are likely to succeed.
Password policy enumeration is one of the first things I do after gaining domain credentials because it directly determines what credential attacks are safe and viable. I retrieve the full policy — lockout threshold, reset counter, minimum length, complexity, and history — and calculate the maximum safe spray rate. If the lockout threshold is 5 with a 30-minute reset, I know I can attempt one password per 35 minutes per account without triggering lockouts.
The minimum length tells me whether Kerberoasting results are likely to crack: an 8-character minimum means common patterns are crackable, while 14+ characters significantly raises the bar. I also check for fine-grained policies, because the default may be strong while a per-group policy on service accounts is weak. The policy turns every subsequent credential attack from a guess into a calculated decision.
Password policy enumeration is when an attacker reads your domain's password rules to plan their credential attacks.
With any employee-level account, an attacker can see exactly how long passwords must be, how many failed login attempts trigger a lockout, and how long the lockout lasts. This tells them whether they can safely try common passwords across all accounts, and whether stolen password hashes from other techniques are likely to be crackable. The risk is not that the policy is secret — it is not — but that weak settings (short minimum length, high lockout tolerance, no fine-grained policies for privileged accounts) directly enable the credential attacks that follow.
Finding: Weak Domain Password Policy Enables Credential Attacks. The assessor enumerated the default domain password policy and identified the following settings: minimum length of 8 characters, complexity enabled, lockout threshold of 5 attempts with a 30-minute reset. No fine-grained password policies were configured for service accounts or administrative accounts. The 8-character minimum, combined with standard complexity rules, allows common password patterns (e.g., Season+Year+Symbol) that are crackable via offline dictionary attacks against Kerberoasted service ticket hashes. The lockout configuration permits safe password spraying at a rate of one attempt per 35 minutes.
Severity: Medium.
Recommendation: Increase minimum password length to 14 characters. Implement fine-grained password policies requiring 25+ characters for service accounts. Consider reducing the lockout threshold to 3 attempts.