Active directory password policy via LDAP

The following attributes are read from the AD and processed by Airlock IAM in order to apply the password policy. The attributes names are as specified in a msDS-PasswordSettings object. The names in "( )" brackets are the equivalent attributes used on the default domain policy (see below for an explanation of the default domain policy).



msDS-MinimumPasswordAge (minPwdAge)

The minimum amount of time to pass before a password can be changed again.

msDS-MaximumPasswordAge (maxPwdAge)

The maximum amount of time a password is valid before it is enforced to be changed.

msDS-MinimumPasswordLength (minPwdLength)

The minimum required characters a password to be set must have.

msDS-PasswordComplexityEnabled (pwdProperties) 

If enabled, a password must meet three out of the following four requirements:

  • At least one lower case character
  • At least one upper case character
  • At least one digit
  • At least one special character (character that is none of the above)


Resolves ties (order) if multiple policies match for a user (lower values mean higher priority).


DN (distinguished name) to specify to whom the policy applies, e.g. a group of users.

Default domain policy

The default domain policy is the password policy that is applied to all users who do not have a specific policy. A specific policy is an msDS-PasswordSettings object contained in the msDS-PasswordSettingsContainer. The default domain policy is configured on the structural root domain DN of the AD. There is always a default domain policy and the attributes cannot be deleted. If not configured on the user, default values are applied.

Password settings container

Specific password policies are stored as msDS-PasswordSettings objects under the DN of the password settings container. Each specific policy contains one or more msDS-PSOAppliesTo attributes that define DN's, e.g. of a user's group. If a user belongs to such a DN, the policy is applied. If multiple msDS-PasswordSettings refer to a single user, the mandatory msDS-PasswordSettingsPrecedence attribute is used to resolve these ties.